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Abstract 



In this monograph, the fault-hiding approach to reconfigurable fault-tolerant control 
is extended from linear dynamical systems to two classes of nonlinear dynamical 
systems. Reconfigurable control is a means for improving the reliability of a con- 
trolled dynamical system that is subject to component faults, such as actuator failure 
or sensor failure. Reconfigurable control changes the control law after the occur- 
rence of faults in real time and without human interaction so that the reconfigured 
closed-loop system continues to fulfill its function. This control adjustment step be- 
comes necessary if the faults are so severe that they open the feedback control loop, 
so that, without remedial actions, the faulty system operates in open loop. 

Control reconfiguration happens autonomously without human interaction, there- 
fore it is of paramount importance that minimum invasive changes to the control law 
be made. This consideration favors the use of virtual sensors in the case of sensor 
faults, which replace the output of a broken sensor with an estimate. In the case of 
actuator faults, virtual actuators are used, which orchestrate the functioning actua- 
tors in order to mimic the effect of control actions of failed actuators. The advantage 
of the use of virtual sensors and virtual actuators as reconfiguration blocks lies in 
the reusability of the nominal controller in the reconfigured closed-loop system. 

In this monograph, the notions of virtual sensors and virtual actuators are ex- 
tended from linear dynamical systems towards Hammerstein-Wiener systems and 
towards piecewise affine systems. Each class of systems represents an essential as- 
pect of nonlinear behaviour. Hammerstein systems can, in addition to expressing 
general nonlinear actuator characteristics, represent actuator constraints by means 
of input saturations. Piecewise affine systems are capable of approximating non- 
linear dynamics to better accuracy and with a larger domain of validity than linear 
systems. 

Several different reconfiguration goals of varying strength are defined and fol- 
lowed in this monograph, which refer to the recovery of nominal closed-loop spec- 
ifications in terms of stability, setpoint tracking, and performance. The notions 
of virtual sensors and virtual actuators are generalised to nonlinear systems, and 
synthesis methods are stated and proven for the classes of Hammerstein-Wiener 
systems and piecewise affine systems. Depending on the system class and the 
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reconfiguration goal, the parameters for the virtual actuators and virtual sensors 
result from the solutions of equivalent output regulation problems. Sufficient condi- 
tions for the solvability of these problems are stated and compared to corresponding 
linear conditions. The robustness of the new methods with respect to uncertain- 
ties of the faulty plant model is shown. The methods developed in this monograph 
are based on several different stability and performance concepts, on linear matrix 
inequalities, and polytopes. Two examples are weaved into the text in order to illus- 
trate the ideas. 

The monograph concludes with descriptions of the application framework, with 
experimental evaluations of the new methods based on a thermofluid benchmark 
process implemented on a large-scale pilot plant, and a summary and discussion of 
open problems. 
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Parti 
Control Reconfiguration Problem 



This part introduces and explains the reconfigurable control problem. The relevant 
literature is discussed, and preliminary theoretical results required to understand and 
to prove the main results are recalled from the literature. The reconfigurable control 
problem is stated in its general form, and it is suitably formalised. The fault-hiding 
approach is introduced, which is the general principle that all following approaches 
are based on. The state of the art regarding linear fault-hiding approaches to recon- 
figurable control is summarised. 



Chapter 1 

Introduction to Reconfigurable Control 



1.1 Fault-Tolerant Control 

Fault-tolerant control (FTC) aims at making technological systems tolerant to faults. 
This means that the system should fulfill its function also after the appearance of 
degradation or failure in its components, such as actuators or sensors. Specifically, 
the field is concerned with systems whose function depends on functioningfeedback 
control loops. Feedback controllers process measurement information into control 
actions, producing the desired effect in the plant only if the involved actuators and 
sensors function properly. Actuators and sensors are, however, subject to inevitable 
faults, and fault-tolerant controllers should nevertheless maintain the system's main 
functionality. This monograph focusses on actuator and sensor faults. 

Fault-tolerant control thus aims at giving technological systems some of the re- 
markable dependability properties found in biological systems. In today's complex 
technological systems that consist of numerous components, classical quality im- 
provement steps at the component level become less and less sufficient for ensuring 
overall dependability and reliability at the aggregate system level. Single compo- 
nents are inevitably prone to unexpected failure, and the rising number of compo- 
nents in complex systems and their interactions require new strategies for ensuring 
reliable system operation. 

System dependability defines the system to be safe and available (fulfilling its 
task when needeqj). Dependability is a desirable property for several reasons of 
varying importance. In production and manufacturing applications, system failure 
potentially causes loss of financial profit due to production delays. In safety-critical 
control application domains, such as in the aerospace and automotive industries, sys- 
tem failure potentially causes personal injury or loss of life. In autonomous vehicles 
such as planetary exploration rovers, unmanned aircraft, or unmanned underwater 
vessels, reliability is mission-critical. Reliability is defined as the complementary 
fault probability and does not take into account maintenance strategies. System de- 
pendability is influenced by the number of involved components, by their individual 



See Appendix |B1 for a glossary of the fault-tolerant control terminology. 
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4 1 Introduction to Reconfigurable Control 

reliabilities that in turn depend on the component quality properties, by mainte- 
nance schemes, and by a safety mechanism that shuts the system down into a safe 
state before dangerous situations are reached. Traditionalljo a given desired level 
of system dependability is realised by quality assessment of the system components, 
by the identification of single points of failure, by the adequate installation of par- 
allel redundant components, and by imposing and enforcing adequate maintenance 



schedules 116111 . 

This traditional engineering approach to designing dependable systems seems to 
work well in practice, although it has the following major shortcomings: 

• Quality improvement of individual components has limits imposed by budgets. 

• The installation of parallel redundancies is expensive. 

• Maintenance schemes tend to be conservative in the sense that the maintenance 
intervals are shorter than necessary in most situations. 

• Maintenance and repair on demand are unavailable options in autonomous 
systems. 

Therefore, it is vital in many applications that the system have built-in fault- 
tolerance properties. While quality and maintenance focus on fault avoidance and 
fault removal in individual components, fault-tolerant control exploits the control 
loops that coordinate the behaviour of these components in order to achieve fault- 
tolerant behaviour of the aggregate system. Fault-tolerant control complements the 
classical elements of dependable system design by actively responding to unex- 
pected component failures. Through these steps, the system reliability is increased 
and therefore also its dependability. 

The previously described methods depend on the presence of redundancy, which 
may take one of the two following forms. The term physical redundancy refers to 
the presence of multiple identical instances of components that fulfill critically im- 
portant functions. Intuitive common-sense notions of redundancy usually refer to 
physical redundancy. However, there exists the more general notion of analytical 
redundancy, which means that multiple ways of affecting the system in a prescribed 
way exist, or that multiple ways for retrieving the same information about the system 
exist. In other words, there exist multiple mathematical relations between input vari- 
ables, state variables, and output variables, so that based on a mathematical system 
model, an alternative relation may be used for control purposes if any relation dis- 
appears due to a faulty Fault-tolerant control exploits the presence of redundancy 
in order to achieve the control goals in spite of faults and failures of some of its 
components. 

Two ways of fault-tolerant control are distinguished, termed passive and active 
fault-tolerant control. In passive fault-tolerant control, the controller used during 



In a classical 1956 paper, John von Neumann expressed the idea that the problem of "build- 
ing reliable systems from un relia ble components" should be addressed in a more system- 
atic fashion than previously |,216]. This theme continues to influence electrical circuit de- 
sign to date 12711 . and it equally applies to complex control systems. 
3 In infor matio n science, it has been long recognised that redundancy is closely linked to 
entropy Ill4h . 
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normal operation is given a-priori robustness against system parameter changes in- 
duced by faults, such that it can directly handle a class of expected faults with- 
out actively changing the control law. Since the post-fault controller is immediately 
available after the occurrence of a fault, a passive fault-tolerant controller is part 
of most practical FTC schemes. However, the passive approach results in conser- 
vative controllers and usually leads to very limited performance. Furthermore, the 
passive approach fails to provide any fault-tolerance against the complete failure of 
main actuation or measurement elements. In order to improve the post-fault control 
performance and in order to cover severe faults that break the control loop, it is gen- 
erally advantageous to switch to a new controller that is tailored to controlling the 
faulty plant, thus complementing passive FTC strategies. 
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Fig. 1.1 Active fault-tolerant control involves fault diagnosis (FDI) and control reconfigura- 
tion steps. 



In active fault-tolerant control, the controller is actively changed after the occur- 
rence of a fault 12 lh . Active FTC consists of two successive steps that each require 
the solution of a decision problem (Fig. II. lb : 

1 . Fault diagnosis (FDI), and 

2. control re-adjustment. 

Fault diagnosis performs three consecutive tasks J67N . It detects the presence of a 
fault in the system, it isolates the faulty components, and it identifies a model of the 
faulty system. The diagnosis component denoted as FDI in Fig. II . H is connected to 
the control input u and the measured output y of the plant. Its decision is based on 
the behaviour of the system as observed through the signals (u,y) that are available 
from measurement. In summary, fault diagnosis decides which model adequately 
represents the faulty plant. The successive control re-adjustment step decides about 
a reconfigured controller that replaces the nominal controller. The re-adjustment 
step is called 

• fault accommodation if the sets of manipulated and measured signals u and 
v remain unchanged, and if the control adjustment is limited to the controller 
dynamics, or 

• control reconfiguration, if both the controller dynamics and the closed-loop 
structure, and possibly also the reference signal r, are changed. 



6 1 Introduction to Reconfigurable Control 

This monograph describes new control reconfiguration methods, therefore Fig. 11.11 
shows a re-adjustment block called "Control reconfiguration". A control scheme 
that explicitly accounts for active reconfiguration of the closed-loop system during 
closed-loop operation is called a reconfigurable control scheme. 

1.2 Reconfigurable Control 



In the context of this monograph, reconfigurable control is about finding a new feed- 
back control law, called the reconfigured controller, after the occurrence of faults in 
the system such that the reconfigured controller recovers the nominal closed-loop 
control goals such as stability, asymptotic tracking and performance as well as pos- 
sible. The recovery usually cannot be perfect, therefore a graceful degradation is de- 
sirable, meaning that as many components of the vector reference signal are tracked 
as possible, and that the nominal performance is approximated in terms of a suitable 
metric. The main distinction between reconfigurable control and fault accommoda- 
tion is that reconfigurable control includes modifications of the closed-loop signal 
structure, which are excluded in fault accommodation. In other words, the use of 
different input and output signals is allowed in reconfigurable control. 

Reconfiguration in fault-tolerant control exploits the presence of redundancy in 
the controlled system. Reconfigurable control is based on models of the fault-free 
and the faulty system, where the latter is provided by the fault diagnosis component 
1 2111 or by self-diagnosing actuators and sensors [49]. The model of the faulty plant 
must express all redundancies so that automatic reconfiguration methods are enabled 
to exploit them. An example for controller reconfiguration is shown in Fig. 1 1.21 for 
a failure of the second actuator. 
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Fig. 1.2 Control reconfiguration after actuator failure re-routes the control action from faulty 
to healthy actuators. 



The re-routing of inputs around broken actuators is the key problem of reconfig- 
urable control after actuator failure, as shown in Fig. 11.21 where Actuator 2 fails. 
The reconfigured controller uses Actuator 1 and Actuator 3 to mimic the effect of 
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Actuator 2 through different plant dynamics. In order to achieve successful reconfig- 
uration, the Actuator 1 and Actuator 3 must together provide analytically redundant 
alternatives for the functionality provided by the failed Actuator 2. Likewise, the 
reconfiguration problem after sensor faults consists in finding a control law and a 
suitable measurement vector to recover control over the variables of interest. The 
problem consists in finding suitable alternative inputs and outputs avoiding the bro- 
ken ones, in other words, in adjusting the sets of control inputs and measured out- 
puts used by the reconfigured controller, as well as the dynamics of the reconfigured 
controller. 

Reconfigurable control must at least ensure that the reconfigured closed-loop sys- 
tem is stable in a suitable sense. Furthermore, it is desirable to recover the nominal 
closed-loop tracking and performance properties as far as possible. The exact re- 
covery of these properties is typically possible only in the presence of physical re- 
dundancy in the system. In numerous technological systems, physical redundancy 
is not available due to its cost. The appearance of actuator faults typically turns the 
nominal system into an underactuated system, whereas the nominal system may be 
either fully actuated or underactuated. 

From a broader perspective, reconfigurable control is a general control adjust- 
ment technique. Generally speaking, the need for reconfigurable control arises 
whenever the controlled plant abruptly undergoes substantial structural changes. 
Such changes in the plant can occur when certain components are switched off 
for scheduled maintenance, or they occur as a consequence of abruptly appearing 
fault effects. This monograph discusses reconfigurable control within the context of 
fault-tolerance. Reconfigurable control after actuator failures is related to control al- 
location as follows. The control allocation problem arises if a desired forcing actio n 



can be realised by means of several combinations of the available actuators 1 106]. 
Control allocation problems typically arise in overactuated systems such as aircraft, 
where multiple control surfaces are capable of producing the same aerodynamical 
forces and moments. Since faults typically result in underactuated systems, the re- 
configurable control problem is more difficult than the control allocation problem. 
The control allocation problem is contained in the reconfigurable control problem 
as a special case. Due to the general formulation of the reconfiguration problem, 
the results obtained in this monograph are easily transferred to other application 
domains, such as control allocation. 



1.3 Key Aspects Specific to Reconfigurable Control 

The following aspects characterise the reconfigurable control problem and illustrate 
why the synthesis of reconfigurable controllers is much harder than nominal con- 
troller syhesis. 

• The reconfigured controller must be found online and autonomously. Namely, 
the typical design cycle involving test simulations and engineering judgement 
of the responses' adequateness is not available in autonomous reconfigurable 
control. To satisfy autonomy, any design freedom available in reconfigurable 
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control synthesis methods must be either automatically assigned, or system- 
atically and a priori eliminated due to the lack of interaction with control 
engineers. 

• The computations must be completed in real-time, namely fast relative to the 
time constants that govern the system behaviour. Otherwise, the reconfigura- 
tion delay becomes unacceptably large. For this reason, only those controller 
synthesis methods are usable with reconfigurable control that permit efficient 
implementation in an autonomous computer program. 

• The model of the faulty plant provided by the fault diagnosis component is 
typically uncertain. Thus, the reconfiguration should make minimum-invasive 
changes to the control law, and it should be robust against uncertainties in the 
model of the faulty plant provided by the diagnosis component. Especially if 
the faults affect few components of a large-scale plant, then the control actions 
to intact components given by the nominal controller may still be valid. 

The reconfigurable control methods described in this monograph are inspired by 
these considerations and have been developed to meet these requirements. It is also 
worthwhile noting at this point that in order to achieve successful model-based con- 
trol reconfiguration, the underlying models must represent all redundancies that are 
present in the physical system. Otherwise, these redundancies cannot be exploited 
in a model-based way. 



1.4 Contributions and Structure of This Monograph 

The reconfigurable control approach developed in this monograph is based on the 
idea of placing a reconfiguration block Ep in between the nominal controller Eq and 
the faulty plant Epf at reconfiguration time (see Fig. II. 31 ). The reconfiguration block 
hides the fault from the controller. In other words, the reconfigured plant Ep r seen 
from the signal pair (u c ,y c ) must have the same input/output behaviour as the nomi- 
nal plant Ep seen from the signal pair (u c ,y). The reconfiguration block contains a 
virtual sensor (an observer-like system) and a virtual actuator (a dual observer-like 
system) in the general case. Apart from fault-hiding, the reconfiguration block must 
achieve as many of the following goals as possible, which are formalised in later 
chapters. The reconfigured closed-loop system (Epf,Ep,Ec) 

1 . must be stable, 

2. should recover the tracking properties of the nominal closed-loop system 

3. should recover the performance properties of the nominal closed-loop system 

This idea is called the fault-hiding principle. It opens the way for minimum-invasive 
changes of the controller. Its goal consists in the recovery of the mentioned no- 
minal closed-loop properties, therefore, the nominal closed-loop properties (such 
as overshoot and settling time) need not be precisely specified for the purpose of 
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Fig. 1.3 Fault-hiding approach to reconfigurable control: a) nominal closed-loop system, b) 
faulty closed-loop system prior to diagnosis and reconfiguration, c) reconfigured closed-loop 
system. 



reconfigurable control. Furthermore, the reconfiguration problem is completely sep- 
arated from the controller in the fault-hiding approach, and its solvability analysis 
only refers to system properties, instead of properties of the nominal controller. All 
the reconfiguration solutions obtained in this monograph interoperate with arbitrary 
nominal controllers. 

Figure 11.41 illustrates that after the occurrence of a fault at time tf, the system 
deviates from its specification (dashed). At time to, the fault is diagnosed, and the 
determination of the reconfigured controller proceeds, finishing at time t - 0, when 
the reconfigured controller is available. At that time, the faulty plant being in the 
state jc(0) = JCo- In the ideal case of perfect reconfiguration (or repair of the sys- 
tem), the reconfigured system trajectories would follow nominal dynamics (solid 
in Fig. 11.4b . Realistically, the reconfiguration is not ideal at the state level, so that 
the reconfigured system state trajectories differ from the nominal ones (dotted in 
Fig. 11.41 ). The difference state is called xa, see Fig. 11.41 and will be central to the 
ideas presented in this monograph. 

The fault-hiding approach is extended from linear systems to two special classes 
of nonlinear dynamical systems: Hammerstein-Wiener systems and piecewise affine 
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Fig. 1.4 The reconfiguration problem starts at the initial time t = and the initial condition 
x . 
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systems. Hammerste in-Wiener systems consist of linear dynamics and static func- 
tions distorting the control inputs and measured outputs. In particular, these sys- 
tems can represent actuator saturation, which occur in most practical applications 
and typically pose a challenge to stabilising control. In reconfigurable control after 
actuator failure, typically the actuation power of lost actuators must be suitably dis- 
tributed to the remaining actuators. Consequently, fewer actuators have to generate 
the same control effect, which makes the activation of actuator saturations likely and 
the recovery of stability a particular challenge. For this reason, the development of 
control reconfiguration theory for Hammerstein-Wiener systems is of considerable 
practical relevance. Piecewise affine systems consist of a collection of affine dy- 
namics (linear plus offset), each of which is active in a particular region of the state 
space. Piecewise affine systems can well approximate certain important classes of 
nonlinear dynamics. Nonlinear dynamics become important as the system ranges 
through a large part of the entire operating region. Such operation arises in startup 
procedures, but also when the system departs from its operating point before the 
fault can be detected and the reconfigured controller is activated. Thus, the exten- 
sion of control reconfiguration theory towards nonlinear dynamics is important. In 
this monograph, continuous piecewise affine systems are considered. 

For both classes of nonlinear systems, stability and tracking recovery problems 
are solved. For saturated systems, the performance recovery problem is also solved. 
The solutions are extensions of the virtual actuator and the virtual sensor, which 
are known from linear systems, towards Hammerstein-Wiener and piecewise affine 
systems. As an example, the linear virtual actuator Ea is shown in Fig. 11.51 

The virtual actuator consists of a dynamical system that keeps track of the state 
deviation xa from nominal that is due to the actuator faults. This deviation is used 
to determine fault compensation action Mx^ and a measurement correction^. The 
linear virtual actuator is based on the superposition principle and the linear sep- 
aration principle. The extension of the virtual actuator and the virtual sensor in 
this monograph overcomes the lack of both principles in nonlinear systems, where 
suitable alternatives are used. All algorithms are suitable for autonomous imple- 
mentation, namely all algorithms work without user interaction. This monograph is 
structured as follows. 

Part I formulates and explains the reconfigurable control problem. The mathe- 
matical background common to most chapters is briefly reviewed in Chapter[2] The 
definitions of general reconfigurable control problems for nonlinear systems based 
on the nominal and faulty system models are stated in Chapter[3] Fault-hiding solu- 
tions to these problems for linear systems are recalled and extended in Chapter[4] 

Part II covers the extension of the fault-hiding principle towards Hammerstein- 
Wiener systems. The classes of nominal and faulty Hammerstein-Wiener systems 
are introduced in Chapter [5] where also specific reconfiguration problems are for- 
mulated. The stability recovery problem is solved for Hammerstein-Wiener systems 
and combined actuator and sensor faults in Chapter [6] The problem of recover- 
ing the nominal closed-loop setpoint tracking properties is solved for saturated sys- 
tems subject to actuator faults in Chapter[7] The additional recovery of the nominal 
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Fig. 1.5 The linear virtual actuator shown above is extended towards Hammerstein-Wiener 
systems and to piecewise affine systems in this thesis. 



closed-loop performance properties for saturated systems subject to actuator faults 
is solved in Chapter[8] 

Part III describes the extension of the fault-hiding principle towards piecewise 
affine systems. The classes of nominal and faulty piecewise affine systems are in- 
troduced in Chapter|9l where specific reconfiguration problems for piecewise affine 
systems are formulated as well. The stability recovery problem is solved in Chap- 
ter [TOj The additional recovery of the nominal closed-loop tracking properties is 
provided in ChapterQl] Robustness issues arising from the interconnection of piece- 
wise affine reconfiguration blocks with nonlinear systems are discussed in both 
chapters. 

Part IV shows applications of the developed methods. The general application 
framework is summarised in ChapterQ~2] The experimental fault-tolerant control of 
a thermofluid process is shown in Chapter [13] The monograph concludes with a 
discussion of the results and open problems in Chapter[T4l 

Part V contains appendices that define acronyms and mathematical symbols 
(Appendix |Aj, that explain fault-tolerant control terminology in a glossary (Ap- 
pendix [B]|, that define basic notions of linear geometric control (Appendix 0, that 
provide the technical proofs that do not fit well into the main text (Appendix ID}, 
and that provide models of the thermofluid process used as an application example 
in this monograph (Appendix |EJ. 
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Throughout this monograph, definitions of key concepts and theorems that rep- 
resent major results are placed inside black frames to distinguish them from less 
central definitions and results. The relevant literature is discussed in bibliographic 
notes at the end of chapters, where applicable. 



1.5 Running Examples 

Ship Control 

A powered ocean vessel is used as the first running example. The considered dy- 
namics concern the (forward) surge velocity v, the (sideways) sway velocity w, the 
yaw angular rate r, and the heading iff. All velocities are defined relative to a frame 
of reference that is attached to the ship and relative to the water, which means that 
the surge velocity is defined along the center axis ("Fig. ll.6b . 



sway w ^ 




surge v 



Fig. 1.6 Ship with local and earth-fixed reference frames. 



The ship has two fixed-angle thrusters that exert the forces u\ and ua in the range 
Mj < u\ < u\, u 2 < ui < ui and that are mounted symmetrically left and right of the 
ship centerline at the distance b. The rudder is used to apply a yaw moment uj in 
the range w 3 < M3 < M3. The thruster forces u\ and 112 and the rudder moment are the 
available control inputs to the system. All units are metric, thus forces are given in 
Newton (N), torques are given in Newtonmeter (Nm), distances are given in Meters 
(m), angles are given in Radian (rad), and time is given in Seconds (s). Due to this 
convention, the units are frequently omitted. 

Apart from the intentional propulsion forces and steering moments, the ship's 
motion is affected by wind forces given in ship coordinates by a v along the surge 
direction and a w along the sway direction. The wind/force model neglects the vari- 
ations of a ship's cross-section when seen from different directions. 

With the mentioned simplifications and assumptions, the ship motion is described 
by the set of equations 
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v(t) = — w(t)r(t) - — v(t) + — (u i (f ) + M 2 (f )) + a v (0 (1.1) 

mn wii mn 

w(0 = -^iiv(OKO- — w(?) + «w« (1.2) 

m22 m22 

mii — mt9 fi?n / Z? \ 

r(f)=— -vO>(0-— K0 + \-{ui{t)-u 2 {t)) + m{t)\ (1.3) 

JM33 m33 m33 \l I 

Ht) = r(t), (1.4) 

where the pa rame ters m,-, > 0, i = 1,2,3 are given by the ship inertia and added 
mass effects J160I1 . The parameters du > are given by hydrodynamical damping. 
In order to obtain a solution of the system i ll . lb — dl -41 starting from the time to, the 
initial surge velocity v(/o) = vo, the initial sway velocity w{to) = wo, the initial yaw 
rate r(to) - ro, and the initial heading i[/(to) - ifro must be provided. 

The available measurements are the surge velocity v (from a speedometer), the 
yaw rate r (from a gyrometer), and the heading i[> (from a compass), thus the equa- 
tions for the measured outputs are 

yi(t) = v(t) (1.5) 

yiit) = r(f) (1.6) 

B(0 = <K0- (1.7) 

The relevant controlled variables are the surge velocity v and the heading iff, thus the 
equations for the controlled outputs are 

zi(t) = v(t) (1.8) 

z 2 (t) = m- d-9) 

The performance requirements are stability of the ship motion in the sense that 
bounded inputs cause bounded state variables, asymptotic reference tracking for 
surge velocity v and heading i/r, and 10% overshoot limits on these two variables. 
Although the ultimate goal consists in position trajectory following, a cascaded au- 
topilot scheme with a fast inner velocity/heading control loop and a slower outer 
position control loop with reference trajectory generator is assumed to be present. 
For the purpose of studying fault-tolerant control, only the inner loop for velocity 
and heading control is considered. 

The investigations regarding system analysis, nominal control, and fault-tolerant 
control will, therefore, be mostly done with respect to the surge, sway, and yaw 
velocities. Sometimes, however, the ship's motion will be illustrated with respect 
to an earth-fixed reference frame with the coordinates x and y. The relationship 
between the ship-fixed reference frame and the earth-fixed reference frames is given 
by the nonlinear kinematics 

.i(t) = v(t) cos(iKO) - w(t) sinOA(O) (1.10) 

y(t) = v(t) sinOMO) + w(t) cosOMO), (1-11) 



14 



1 Introduction to Reconfigurable Control 



and the relationship between the wind forces a v and a w in the ship's coordinates 
and the wind forces a x and a y in earth-fixed coordinates is given by the geometric 
relationship 



a v (t) = a x (t) cos(i/r(f)) + a y (t) sin(tfr(t)) 
a w (t) = -a x (t)sm(i//(t)) + a y (t)cos(tff(t)). 



(1.12) 

(1.13) 



The ship parameters used in this monog raph are defined in Table 11.11 The model 
reflects a small-scale supply vessel [160]. 



Table 1.1 Parameters of the small-scale ship. 



Parameter 


Value 


Saturation limit 


Value 


mn 


19 


M i 


-1 


m 2 2 


35.2 


U\ 




OT33 


4.2 


M 2 


-1 


du 


4 


"2 




di2 


10 


«3 


-1 


J33 


1 


~<i 


-1 


b 


0.1 







The studied faults are the following: 

• /1 : failure of the yaw rate gyro sensor, 

• fi : blockage of the rudder producing a constant yaw moment, 

• fi : floating rudder producing zero yaw moment, 

• fa\ reduction of left thruster force range to 60%, in other words, u\ e [-0.6; 0.6]. 

The particular problem to be solved in this monograph consists in finding reconfig- 
ured controllers automatically and online. The practical goal that is used as a basis 
for evaluating the reconfiguration success consists in circumnavigating an obstacle 
(Fig. 11.7b . Completing this task requires two changes of the heading in opposite di- 
rections in a sufficiently precise manner, and a positive velocity must be maintained 
in order to move past the obstacle. 

It is intuitively clear that the control goals are achievable after all fault scenar- 
ios. The loss of yaw rate information can be replaced with an estimate based on 
the heading measurement. The rudders can be replaced because two thrusters are 
installed that can be used to produce equivalent yaw moments. A thrust reduction in 
one of the thrusters can be accommodated by increasing the thrust command within 
its physical bounds, and a yaw moment produced by asymmetrical thrust can, to 
some extent, be compensated by setting a small rudder angle. In summary, given 
enough time, a tailored controller can be designed for every fault scenario. 
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Fig. 1.7 The nominal ship avoids the obstacle, while the ship subject to fault fy runs into the 
obstacle. 



Two-Tank System Control 

The two-tank system defined as a benchmark problem in earlier work is used as a 
second running example. The two-tank system is pictorially shown in Fig. ll .81 It is 
particularly suitable for the use of piecewise affine models, since its physical setup 
induces natural switching, as it will be obvious from the model below. 



^^ 




Fig. 1.8 Two-tank system with nominal control loops. 



The plant consists of tanks Ti and T2 with levels h\ and ha, respectively. The 
tanks are interconnected by valves accessed through the inputs ui and u\j, where Ti 
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is filled by means of the pump with the input up CFig. ll .8b . A model of the system of 
coupled tanks is obtained from mass balances and the laws of turbulent flow, where 
the signal s(t) - sign(h\(t) - h 2 {t)) describes the direction of the flow from Ti to T2: 



h 1 ( f ) = Tp (-P c v s ^ y/2g\hi(f)-h 2 (t)\u L (t) 



h 2 (t) 

y(t) 
U(0 



-pc v s(t) y/2g\ max(hi(t), h ) - max(h 2 (t), h )\uu(t) 

+Cpy+Cp 2 Up{t)\ 

= ± (pc v s(t) y/2g\hi(t)-h 2 (t)\u L (t) 

+pc v s(t) y/2g\ max(hi(i), h ) - ma.x(h 2 (t), h~o)\uu(t) 

-pc y/2g(h 2 (t) + k)) 
= 'hit) 

= h 2 (t). 



(1.14) 



In the model, A denotes the cross-section area of both tanks, k is the head of the 
outflow pipe, ho is the elevation of the upper connection pipe and the upper valve, 
g is the acceleration constant, p is the density of water, cp\ < is a pump bias that 
represents a dead zone of the pump, cp 2 is a pump coefficient, and cy is a valve flow 
coefficient. Both inputs are normalised in the interval [0; 1]. Numerical values for 
the model parameters are defined in Table 11.21 The measured output y is used for 
control purposes, whereas the relevant regulated output z reflects the main interest in 
the right tank fluid level. The system undergoes switching of its dynamics whenever 
the fluid levels in the tanks cross the elevation ho of the upper connection valve. 



Table 1.2 Parameters of the two-tank system. 



Parameter 


Value 


Saturation limit 


Value 


g 


9.81 m/s 2 


UL 


1 


P 


998 kg/m 3 


Tiu 


1 


A 


0.0154 m 2 


Tip 


1 


cp\ 


-0.0140 m/s 


l ±L 





C P2 


0.1251 m/s 


<£u 





cy 


2-10" 5 m 3 


Up 





/?o 


0.3 m 






k 


0.05 m 







The two-tank system is controlled by two linear decentralised controllers 



f U p(ty 

U L (t) 

u v (t) t 



(50(n it) - yi (t)) + 4 jf (n (r) - yi (r))dr 

50(r 2 (r) - ^(O) + 4 J V 2 (r) - y 2 (r))dr 

0.8 
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The controlled quantities are the fluid levels h\ and ha, for which the control aims 
are stability and regulation to a given setpoint. The considered faults are abrupt and 
non-transient: 

• fai : failure of the lower valve ul (m/,l(0 = for / > tf a \ ) at fault time tf a \ - 20 s, 

• f a 2'- gain reduction for the upper valve («/,[/(?) = 0.2ujj(t) for / > tf a j) at fault 
time tf a 2 - 35 s, 

• f s : outage of the level sensor for hi (y/,i(0 = for t > t/ s ) at time t/ s - 40 s. 

The plant is perturbed by reference steps r\ (f) = 0. 15 m for t < 30 s and r\ (t) - 0.45 m 
for t > 30 s for the level h\ as well as r 2 (t) = 0.05 m for t < 100 s and r 2 (t) - 0.08 m 
for t > 100 s for the level h 2 . The steps drive the process through a large operating 
range, and thus realistically describe a startup procedure. A non-modelled outflow 
of tank Ti represents a disturbance d. Note that the fault breaks the loop at several 
points and the reconfiguration method must change the control loop structure to 
meet the control objectives. 



1.6 Survey of Fault-Tolerant Control 

Fault-tolerant control with a foc us on the control aspects is treated in depth in the 



survey [87], in the tutorial II120H . as well as the res earch mon ograph 12 10 . Compre- 
hensive commented bibliographies are available in 12491 125011 . 



Passive FTC 

A passive fault-tolerant contro l sche me, where the control law is never changed, was 
described for linear systems in 120611 based on simultaneous stabilisation techniques. 
An optimal sensor selection sc heme to achieve passive fault-tolerance with respect 
to sensor faults is described in II 1 03fl - An observer-based output- feedback controller 



that is robust against sensor faults is available in 15211 . Robust output- feedback model 



predictive control with soft state and hard input constraints for linear systems has 



been recently studied in [ 108]. A robust controller for linear parameter- varying sys- 
tems that also estimates additive faults is described in 122111 . Passive fault-tolerant 
control of nonlinear systems that does not explicitly distinguish diagnosis and re- 
configuration was presented in [26] and extended in [18], which is based on the 
use of a control Lyapunov function. An idea that complements fault-tolerant con- 
trol techniques is the development of high-redundancy actuators that are ins pired by 



biological muscles and designed for graceful performance degradation [44, 203]. 



Fault Diagnosis 

Fault diagnosis methods seek to find out whether or not a system is faulty. Fault 
diagnosis is part of every active fault-tolerant control scheme and the success of 
subsequent control re-adjustment steps depends on the reliability of its diagnostic 
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results. Introductions to fault diagnosis methods are available in the books |2lLl48l 

£ZLH1. 

Fault diagnosis can be signal-based or model-based, and model-based approaches 
are often founded on consistency tests for the I/O data on system models [21] or on 
consistency tests for identified system parameters 18311 . Conceptually, consistency- 
based fault diagnosis is closely related to behaviours as defined by Wexems [224]. 



Roughly speaking, the behaviour of a system with inputs u e 1A c Xj(E, m ) and 
outputs jej/c £, l ° c (W) is defined to be the set of all pairs (u(t),y(t)) that are 
compatible with the system dynamics, where 11 and J/ denote the input and output 
signal spaces: S c 1/x J/. In the behavioural setting, it is straightforward to explain 
the basic principles of fault diagnosis and also the conditions determining whether 
or not fault diagnosis attempts can be successful. The nominal (fault-free) system, 
denoted by the fault case /o, is characterised by a specific behaviour denoted by 
So- With every possible fault scenario fi eT — {/o,/i,. ■ ■ ,/f) from a finite set T 
of possible fault scenarios, a specific behaviour S, is associated. The restriction to 
a finite fault set is often called the closed-world assumption, meaning that no other 
faults are possible. Statements about the completeness of fault diagnosis algorithms 
frequently rely on this assumption. Typical example behaviours of different fault 
scenarios are illustrated in Fig. 1 1.91 
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Fig. 1.9 Behaviours of nominal and faulty systems. 



The figure supports the following important conclusions about diagnosability of 
dynamical systems. If two behaviours belonging to different fault scenarios are iden- 
tical, then these fault scenarios are not distinguishable. If their intersection is empty, 
then the two fault scenarios are perfectly distinguishable (the fault case triplets f\ , 
fl, fn and fi,fz, fy are perfectly distinguishable in Fig. 11.9b . If their behaviours over- 
lap, as they do in most cases, then there exist signals that permit distinction between 
the fault scenarios (faults fi and fy in Fig. 11. 9b . The latter case is commonly consid- 
ered to characterise a diagnosable system. From these considerations, it is clear that 
the diagnosis success also depends crucially on the chosen input sinals. This depen- 
dence is intimately linked to the persistence of excitation condition encountered in 
system identfication. It implies that test signal synthesis is a nontrivial and important 
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issue in fault diagnosis {experiment design is the parallel problem in system identi- 
fication). Every completqj consistency-based fault diagnosis method starts with the 
initial fault candidate set T C {Q) - T and iteratively excludes fault scenarios that are 
inconsistent with the observations. A fault fa is uniquely diagnosed at the step j if 
TAJ) — {fa}- In general, it is not possible to uniquely distinguish between all faults 
due to the overlap in their behaviours, even if full freedom in the choice of the inputs 
is available. Based on the retrievable information, it is possible to define a smallest 
fault candidate set T* that contains the true fault. Practical algorithms are evaluated 
by comparing their resultant fault candidate sets to T* . 

The consistency-based approach is a vailable f or networked discrete-event sys- 
tems modelled by input/output automata 1 14(11 18911 . for ti med input/output automata 
1 208], for discretely controlled cont inuo us systems 111 1611 . for linear systems subject 
to biased unc ertain measurements 1116311 . and for nonlinear systems with the same 
uncertainties 122511 . All mentioned algorithms possess the completeness property. 
Often, a residual is generated by means of observers or Kalman filters and com- 
pared to a threshold 12091125211 . The plac ement of sensors under observability and 
redundancy constraints is studied in 112611 . 

This monograph addresses the control reconfiguration problem for nonlinear sys- 
tems, therefore fault diagnosis methods for nonlinear systems are required. An ac- 
tuator fault detection method for uncertain input-affine single- inpu t single-output 
systems based on neural approximation models is describe d in 11941 1 . Further fault 



diagnosis methods for nonlinear systems are available in 191 124811 



Control Reconfiguration 



There is a general consensus that actuator faults are more difficult to treat than sensor 
faults. After sensor faults are detected, it remains to mask their effect in the closed- 
loop system, typically by replac ing th e measurements with estimates obtained based 
on state-observation principles 122911 . The recovery methods from sensor faults de- 
scribed in this monograph are in accordance with this general idea. 

In reconfigurable control, the linear model-matching approach dominates the 
field, where the nominal controller is replaced by a new controller that is tailored to 
the faulty plant and either synthesised online, or picked from a bank of pre-designed 
fault-case controllers. The original approach was based on the comparison of the 
nominal and reconfigured closed-loop system matrices 13311 but lacked a stability 
guarantee. This drawback was removed in 16411 . Recently, the model matching idea 
is usually based on linear eigenstruct ure a ssignment J7|], on extensions of the classi- 



iodJ9 



cal linear pseudoinverse method [98, 201], on robust //«,-control mixers [242], and 



on adaptive control principles |37]. The perfect model following technique has been 
considered as well in [65]. The disadvantage of these methods consists in the pre- 
scription of special structures for the reconfigured controller, discarding the nominal 
controller from the loop. 



4 A fault diagnosis algorithm is said to be complete under the closed-world assumption if 
the true fault is never excluded from the set of fault candidates. 
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A fault accommodation approach for nonlinear systems is described in 18611 . A 
control reconfiguration approach for non-minimum phase nonlinear systems with 
control re-allocation and reference adjustment is described in B17I1 . Recently, a non- 
linear fault accommodation technique based on nonlinear parametric estimation has 
been suggested, where the faults are viewed as multiplicative external inputs 15711 . 
For switched and hybrid systems, adaptive scheme s 12361] . observer-based switch- 
ing schemes bas ed on multiple Lyapunov functions 123711 . and output feedback con- 
trol ler re design 111 8 ill have been developed, however based on additive fault models. 
In 123311 . fault-tolerance analysis based on global passivity is addressed, however 
without synthesis procedures. Periodic systems were considered in 123511 . A hybrid 
controller approach b ased on h ybrid automata models and verification techniques 
has been described in 115311241 \. A sensor fault accommodation technique based on 



bond graphs is available in B238I1 . 

Model-predictive control has been used as a basis for the reconfigura ble con- 
trol of linear, piecewise affine, and fuzzy systems in 11271 Il3(jll84ll2131, a nd an 
optimisation technique based on hybrid automata has been proposed in 121011 . Fur- 
ther ideas fo r the recon figurable control of hybrid systems are based on automaton 
abstractions B12lUl22ll . However, these methods require considerable online com- 
putational power. The suitability of internal model control for the accommodation 
of actuator faults, sensor faults, and internal faults has been studied in 17711 . where 
fault accommodation is achieved by changing the internal plant model and its in- 
verse to let them reflect the faults. A so-called generalised internal model c ontro l 
scheme was developed in [34] and extended to handle model uncertainties in 124011 . 

Techniques that explicitly combine fault diagnosis and control reconfiguration 
are difficult to achieve. Although the problem is still considered unsolved, it is tack- 
led from various sides described in the following litera ture. The uncertainties of 
fault diagnosis are explicitly taken into account in 124311 . A probabilistic approach 
that takes into account missed detections and false alarms has been presented in 
1 128], which comes at the cost of very high computational complexity that limits 
the applicability to offline synthesis and to usage within controller banks. A gen- 
eral architecture for integrated residual filter design for fault diagnosis and control 
adjustment is suggested in B40II . including a bump-less switching scheme between 
the nominal controller and the reconfigured controller. Joint fault diagnosis and re- 
configuration approaches for actuator and sensor fau lts based on invariant set theory 
and controller banks are described in ll29Lll46Lll47ll and applied to induction motor 
control in R196I1 . In these approaches, it is required that any combination of faulty 
plants and fault-case controllers yields a stable reconfigured closed-loop system, 
which is a strong assumption. Subspace predictive control is a recently introduced 
combined parameter identification and controller synthesis approach that bears po- 
tential for solving the simultaneous fault diagnosis and control adjustment problem 
15011 . The application of unfalsified control to fault-tolerant control is a relatively 
new area that is still in its infancy [82]. It provides a systematic means for selecting 
one controller from a set of finitely many candidate controllers. The fault diagnosis 
and reconfiguration problem has been studied for bimodal piecewise affine systems 
in lfl38h. 
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lied to respond to incipient faults that represent 
2511 . In so far, adaptive control is readily well- 



Adaptive control is typically aj 
gradual component degradation |! 
suited for fault accommodation purposes. Adaptive control can be extended for re- 
configurable control purposes. A fault-tolerant self-tuning adaptive control method 
with integrated fault detection is described in |212ll . An adaptive fault compensation 
scheme for actuator faults is described in 125 ill . 

Intelligent control is concerned with learning from experience in order to ad- 
dress unanticipated faults. Learning control combines ideas from classical control 
and computer science, especially with ideas of artificial intelligence, to adapt to 
changing environments and to profit from past experience. Learning techniques such 
as neural networks, expert systems, and general problem solvers are used to stor e 
knowledge about past fault situations and the success of certain responses [5 1, 204] . 
An adaptive fault-compensation scheme based on neural network model and inter- 
nal model control for nonlinear systems is described in I61I1 . where neural networks 
are used to learn the nominal and faulty plant models. The concepts of adaptive con- 
trol, uncertainties , and fuzzy plant models have been combined to achieve actuator 
fault tolerance in 124711 . 

Combined studies of reconfigurable and networked control are recently emerg- 
ing. A state-feedback control scheme that is robust with respect to uncertain plant 
dynamics and with respect to bounded network delays, and that tolerates actuator 
failures, is described in [232]. The approach is a blend between passive and active 
FTC, since the initial controller is designed to be robust against plant model uncer- 
tainties as well as arbitrary actuator failures, and performance improvement in the 
case of actuator failures is achieved by means of control reconfiguration. A control 
adjustment technique to account for time delay variation in network control envi- 
ronments has been devised in 121411 . where the upper bound on the network delay 
changes abruptly due to network malfunction. 



Recently, the fault-hiding principle has been developed for linear systems [202]. 
In the case of act uator faults, the reconfiguration block leads to a generalisation of 
the dual observer 111211 called the virtual actuator lll5Lll23l4l25ll . The sensor fault 
case leads to an observer-like solution called the virtual sensor 120211 . These lin- 
ear approac hes have recently been extend ed and generalised towards new synthesis 
methods in J119lll7l[|l73[|l75lll79lll80ll . Expe rimental a pplications to a nonlinear 
thermofluid benchmark process are reported in I177lll78ll . The fault-hiding princi- 
ple is extended towards nonlinear dynamical systems in this monograph. 

The previous discussion has focussed on methods for continuous-variable sys- 
tems. At a higher level of abstraction, many processes especially in manufacturing 
engineering are adequately described by discrete-event dynamical systems (DEDS), 
short discrete-event systems. Fault-tolerant control of discrete-event systems (DES) 
has been studied in several application domains for different reasons. In communica- 
tion and computer engineering, discrete-event models are used to described schedul- 
ing proble ms. Fault-tolerant scheduling techniques are described, for example, in 
1 155J I23OII . In automated manufacturing systems, the production process is often 
represented by discrete-event models, and fault-tolerant methods for improving the 
dependability of the production process have been suggested, with the main focus 
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on the computing hardware and control software [8]. Exploiting fault-tolerance of 
the control scheme, regardless of the software and hardware used for its implemen- 



tation, is recently being studied 138L 14211 . Dependable control of DES independent 



of specific applications starts to develop into a field in its ow n right. Ge neralised 



application-independent approaches for DES are presented in B15U 115211 based on 
languages generated by standard automata and using the concepts of safe diagnos- 
ability and safe controllability. In these works, given specification languages are 
recovered by means of supervisor reconfiguration. Similar automaton models are 



used with modified observability notions in [39], where supervisor reconfiguration 
is likewise proposed. Petri nets are used in B234I1 . focussing on the satisfaction of 
mutual exclusion specifications. 



Applications 

Reconfigurable control was largely motivated from applications in flight control, 
for which a large number of approaches have been developed and several tests are 
reported, mostly based on simulations y, |6|, |2J, |28J, 16311 . In flight dynamics, the 



state variables are tightly cross-coupled. Therefore, numerous analytical redundan- 



cies arise [205], which makes the development of fault-tolerant controllers more 
promising than in areas such as automotive control and process control, where re- 
dundant components tend to be removed from the system design to reduce system 
cost. Nevertheless, a pplication s of fault-tolerant controllers have also been re porte d 
in these areas J3l.l47l. l88lll44ll . see also the recent application-oriented book [145]. 



Fault-tolerant control has also been experimentally studied on autonomous under- 
water ve hicles based on physical redundancies and pseudoinverse reconfiguration 
schemes H239TI . Fault-tolerance is also important if large numbers of railway vehi- 
cles operate autonomously on a shared fixed track, such as it is the case in the Rail- 
Cab project [66]. If a single vehicle ceases operation, it blocks the entire track. This 
problem also occurs in classical railway systems, however the number of vehicles 
on the track is considerably smaller than on the envisioned new systems. 

In summary, numerous fault-tolerant and reconfigurable control approaches have 
been developed and studied for linear systems, but the literature on nonlinear ap- 
proaches is comparatively sparse. In particular, the fault-hiding approach is not 
available for nonlinear systems. This monograph addresses the extension of the 
fault-hiding principle to two classes of nonlinear systems, namely to Hammerstein- 
Wiener systems and piecewise affine systems. 



Chapter 2 
Preliminaries 



Abstract. This chapter defines the notation for this monograph and recalls central 
notions from the literature that constitute the theoretical foundation of this mono- 
graph. These notions are linear matrix inequalities, polyhedra and polytopes, and 
classical as well as recent results from stability theory. The discussion of stabil- 
ity theory concerns stability in the sense of Lyapunov, extensions for systems with 
inputs, the convergence property, and absolute stability. 

2.1 Notation 

Lower case bold letters (jc) denote vectors, capital bold letters (A) denote matrices, 
and script capitals {£,) denote spaces. Systems are denoted by Z\ ,2*2, . . ., where the 
subscripts distinguish different systems. The interconnection of two systems through 
common input/output variables is denoted by (2"i,2"2). Corresponding dynamical 
operators are denoted by Q\,Q2 with the same distinction. The restriction of a sys- 
tem operator Qp with multiple outputs to a specific output y is denoted by i^ p . The 
symbol = means equal by definition. 

R denotes the set of real numbers, and R+ = [0, oo). C denotes the complex plane, 
and C_ - \s e C| Re(^) < 0). The /7-norm of a vector x = {x\,. . -,x n ) T is defined by 

\\x\\ p - (2"_j JC?) . By definition, the notation || ■ || refers to the vector 2-norm. 
For 1 < p < oo, and for a measurable signal x(t) : R+ — > R", the notation x(t) e 

£ ; ,(R + ,R") means that \\x(t)\\£ p < oo, where \\x(t)\\ £p ± (J R+ \\x(tWdtf' P for 1 < 
p < oo and ||x(/)llx„ - esssup < T < f ||oc(r)||. The space of locally integrable signals is 
denoted by £}° c . The time argument is omitted if it is clear from the context that a 
signal is meant. The space of piecewise continuous signals with m components is 
denoted by r PC m . The notation x = means V? : x(t) = 0. 

A function y = <p(u) for y e R m , u e R m is called decomposed if <p(u) - 
(tpi(ui), . . . ,ip m (u m )) T holds. A decomposed function <p is called sector-bounded in 
the sector [0, k] if Vm : < ^p- < k, where < and division are applied element-wise, 
which is concisely denoted by tp e [0,k] 19711 . The decomposed saturation function 
is defined as u s - sat(M, u,u) where, for i = 1 , . . . , m, 
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u s ,i = i 



U- if U: < u 



■z, - ■*> 



Uj if u . < w 
«,■ if 77; < w 



<Jii (2.1) 



The following properties of matrices are used B19I1 . The right inverse of the 
matrix A is denoted by f and defined as A^ = A T {AA T )~ l . The left inverse of the 
matrix A is denoted by X and defined as A^ = (A 1 A) -1 A 1 '. The pseudoinverse of 
a matrix A satisfying all four Moore-Penrose conditions is denoted by A + llql . The 
set of eigenvalues of a matrix A is denoted by cr(A). A matrix is called Hurwitz if all 
its eigenvalues have strictly negative real part. The transpose (conjugate transpose) 
of a real (complex) matrix A is denoted by A T (A*). A Hermitian matrix satisfies 
the relation A* - A. The notation A < {A < 0) for a Hermitian matrix means that 
the matrix A is negative (semi-) definite, meaning that all its eigenvalues are strictly 
negative (non-positive). Correspondingly, the symbol > (>) denotes positive (semi-) 
definiteness of Hermitian matrices. A symmetric block matrix is denoted in abbre- 
viated form using the symbol •, therefore the notation 

* c) abbreviates (bT C 

A pair of matrices (A,B), where A e R" x ", B e R" Xm , is called stabilisable, if there 
exists a matrix K e R mX " such that A - BK is Hurwitz. A pair of matrices (C, A), 
where A e R" x ", C e R f/X ", is called detectable, if there exists a matrix L e R" x ' ? 
such that A - LC is Hurwitz. 

The following comparison functions are used I104l . A function F : S — > R de- 
fined on a set S c R" containing zero is positive definite if F{x) > holds for all x e 
S, x # 0, and F(0) = 0. A class 'K function is a function a : R+ — » R+ which is con- 
tinuous, strictly increasing, and satisfies ar(0) = 0. Any function a that satisfies these 
requirements is said to be in the class ( K, denoted by a € < K. A class "Koo function 
is a function a e'K that is additionally unbounded, i.e. lim^oo <*(,?) = oo. A class 
'KH function is a function /? : R+ x R+ — > R+ such that @(-,t) 6 7C for any fixed t, 
and for each fixed r > 0, yS(r, i) — > as t — > oo. The unit step function p(f) is defined 
for 1 6 R as p(f) = if t < and p(f) = 1 if f > 0. The space of A: times continuously 
differentiable functions is denoted by C . 

Throughout the monograph, the end of a definition is marked by means of a 
diamond (o), the end of a remark is marked by means of a circle (o), and the end 
of proofs placed in the main parts of the monograph is marked by means of black 
squares (■). 



2.2 Linear Matrix Inequalities 

Numerous standard c ontro l problems can be readily formulated as (nonlinear) ma- 



trix inequalities 1291 118711 . Their transformation into a linear form can often be 



achieved by means of standard transformations. 
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Definition 2.1 (Linear matrix inequalities [29]). Let F, = Fj e W xm be a family 
of symmetric parameter matrices. 

• Linear matrix inequality: The inequality 



Y J x i F i >0 (2.2) 



is a linear matrix inequality (LMI), where x = {x\ , . . . , x m ) T € R m is called the 
decision variable. 

• Congruence transformation: Given a Hermitian matrix A and a square non- 
singular matrix T, the transformation 

A -> J* AT (2.3) 

is called a congruence transformation of A. 

• Inertia: Let V-(A), vo(A), and v + (A) denote the numbers (counting multiplic- 
ity) of eigenvalues of a symmetric matrix A with negative, zero, and positive 
real part, respectively. The triple In(A) = (v-(A),vo(A),v+(A)) T is called the 
inertia of A. o 

The following lemma identifies congruence transformations as inertia-preserving 
operations. 

Lemma 2.1 (Congruence transformation 12911 ). If A is Hermitian and T is non- 
singular, then the matrices A and T* AT have the same inertia: In(A) = h\(T* AT). 

As a consequence of Lemma [2~T1 congruence transformations are equivalence oper- 
ations on LMIs in the sense that A > if and only if T* AT > 0. Together with the 
following Lemma, congruence transformations are often the key to transforming 
nonlinear matrix inequalities into equivalent linear matrix inequalities. 

Lemma 2.2 (Schur complements |29]). The following statements are equivalent: 

Q s\ 

2. Q<0andR-S T Q- l S<0 

3. R<0andQ-SR~ l S T <0. 

The equivalence relations defined by Schur complements also hold for reversed in- 
equalities (> instead of <). 

Definition 2.2 (Affine combination and affine independence |30]). Given is a set 
of vectors X — {x\ , . . . ,Xk], which is used to define the following two notions. 

• Affine combination: A point 

k k 

p — y ot\Xi where } at — 1 (2.4) 



1. \3r J<0 



i=i i=i 

is called an affine combination of the vectors in X. 
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• Affine independence: The vectors in the set X are affinely independent, if all 
vectors in the set 

{X2-*i,...,*Jfc-*i} (2.5) 

are linearly independent. o 

LMIs are nowadays efficiently solvable using numerical methods, for example in- 
terior point methods I30I1 . implemented in software such as YALMIP and Sedumi 
l l09Ll207h . 



2.3 Polyhedra and Polytopes 

A polyhedron A is a (not necessarily bounded) set defined by a finite number of lin 



ear inequalities, whereas a polytope is always bounded 025311 . Polyhedra and poly 



topes can be defined as intersections of finite numbers of half-spaces as follows. 



Definition 2.3 (Polyhedra and polytopes [253]) 



• Polyhedron: A polyhedron A c R" is a set 

A = {x e R" : Hx < k), (2.6) 

where H e R" Xn is a matrix where every row is a normal direction to one of the 
hyperplanes, and k e ]R" xl gives the hyperplane offsets. 

• Polytope: A polytope f c R n is a bounded and closed set 

V = {x e R" : Hx < k), (2.7) 

where the matrix H e R" x " defines the normal directions to the hyperplane, and 
k e R" xl defines the hyperplane offsets. o 

A polytope P is thus a compact polyhedron. Every polytope is a polyhedron, but not 
vice versa. Furthermore, every polyhedron and every polytope is convex, which is 
immediate from their definitions. 

The representation ( 12.7b is often called (77/ A;)-representation in the literature. The 
interior of any set (in particular, of a polytope) is denoted by int(!P). Alternatively, a 
polytope is defined by the convex hull of a finite set of vertex points. 



Definition 2.4 (Convex hull [253]). The convex hull co(A') of a set of given points 
X - {x\,...,Xk\ is defined by 

co(A) = i^a,JC,:x,€A,a,€lR + ,^ff, = ll. (2.8) 

The set co(A) is a polytope with the set of vertex points *V c X. o 
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In the course of this monograph, the class of simplex polytopes will be of special 
interest. 



Definition 2.5 (Simplices and Delaunay partitions l244ll253ll ) 



Simplex: A simplex S in R n is the convex hull of n + 1 affinely independent 
points ,Y ±{xi,...,x„+i}: 

S = co(«Y). (2.9) 

The points jc,- 6 X, i e {1, . . . ,n + 1} are called vertices, and the convex hull of 

any n vertices is called a facet. 

Delaunay partition: Let 'V c R n be a compact subset of the state-space and 

St, i 6 1 = { 1, . . . , k] be a collection of nonintersecting simplices that satisfy the 

conditions 



V;', j el,ijt j : intSi n intSj = 0. 
Then, the set of simplices 

is called a Delaunay partition of the set r V, o 

Simplices and Delaunay partitions are used in connection with piecewise affine sys- 
tems in this monograph. 

2.4 Stability Theory 

Lyapunov-Type Stability of Equilibria 

The following stability definitions are defined for general nonlinear systems of the 
form 

\m =/(^(o,«(0) 

\y(t) =*(*(*)) 
x(0) = xo, 

where x(t) e R" is the state, «(f) 6 R m is an input, y(t) e R' ? is the output, and /(•, •), 
h(-) are nonlinear functions of appropriate dimensions. First, stability notions for 
the autonomous system (12. 10b are defined (« s 0). 
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Definition 2.6 (0-global asymptotic stability and 0-global exponential stability 

I9711 ). The system (12.10b with zero input u = is called 

• 0-globally asymptotically stable (0-GAS), if for all to there exists a class 'KH 
function /3 such that for all initial conditions x(to) 

\\x(t)\\<p(\\x(to)\\,t-to)Vt>t Q . 

If the function ft does not depend on to, then the system ( 12.101 ) with zero input 
u = is called 0-globally uniformly asymptotically stable. 

• 0-globally exponentially stable (0-GES), if for all initial times to and all corre- 
sponding initial conditions x(to), the corresponding solution x satisfies 

||x(OII<c||jc(fo)l|e- i(f -' o) V?>f 

for some real numbers c, A > 0. o 

In other words, exponential stability is a special case of asymptotic stability where 
the function ft is exponential in the time argument. 

Definition 2.7 (0-globally asymptotically stable solutions lll59ll ). A solution x(t) 
of the system (12.101 1 with zero input u = starting at the initial condition Jf(fo) is 
called 0-globally asymptotically stable, if for all initial times to there exists a class 
'KH function ft such that for all initial conditions jc(?o), the corresponding solution 

x(t) satisfies 

||*(0 - *(0ll < PQ\x(t ) ~ x{to)\\,t - to) Vr > t . 

If the function /3 does not depend on to, then the solution x(f) is called 0-globally 
uniformly asymptotically stable. o 

Theorem 2.1 (Converse Lyapunov theorem Il97ll ). Let x - be an equilibrium 
point for the nonlinear time-invariant system x(f) — f(x(t), 0) with zero input, where 
/(•,•) is defined in Equation ( 12.701 ). If the autonomous nonlinear system is glob- 
ally exponentially stable, then there exists a continuously differentiable function 
V : W — > K, that satisfies the inequalities 

c l \\x\\ 2 <V(x)<c 2 \\x\\ 2 
VV(x)f(x,0) < -ci\\x\\ 2 , IIW(jc)|| < c 4 |MI, 

where a, C2,C3,C4 > 0. 

For systems with inputs, the notions of input-to-state stability (ISS), input-to-state 
practical stability (ISpS), and input- to-output- stability (IOS) are useful to charac- 
terise the boundedness of solutions x(t) of the system (12.10b in the presence of 
inputs. 
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Definition 2.8 (Input-to-state stability, input-to-state practical stability, input- 
to-output stability [89, 198]). The system (ITTUt is called 

• globally input-to-state stable (ISS) with respect to (w.r.t.) the input u, if 

3fieK£,yeK: \\x(t)\\<f5(\\x(t Q )\lt-t ) + yQ\u\\ z J (2.11) 

for all inputs u, all initial conditions x(to), and all times t > to, where x is the 
solution of (12.10b . 

• globally input-to-state practically stable (ISpS) w.r.t. the input u, if 

3/3 e <KZ, y e <K, K > : ||x(*)|| < fl||xfo)IU - <0) + y(IMLe J + * (2.12) 

for all inputs u, all initial conditions x(?o), and all times t > to, where x is the 
solution of (12.10b . and 

• globally input-to-output stable (IOS) w.r.t. the input u and the output y, if 

3j3e<K£,ye<K: ILy(OII<AIWfo)IU-*o) + r(ll"llxJ (2.13) 

for all inputs u, all initial conditions x(to), and all times t > to, where y is the 
output of the system ( 12.101 ). o 

The state of an ISS system is bounded for arbitrary bounded control inputs, and the 
unforced part of the solution asymptotically vanishes. Thus for zero inputs, the def- 
inition of ISS recovers the 0-GAS property. ISS is understood as a global property 
throughout this monograph. The ISS property requires that the system asymptoti- 
cally converges to the origin in the absence of inputs. The weaker notion of ISpS 
only requires convergence to a neighbourhood of the origin. When dealing with sys- 
tems interconnected through inputs and outputs, the notion of IOS systems is more 
useful than the notion of ISS. 

The following theorem links the ISS notion to the concept of Lyapunov functions. 

Theorem 2.2 (Lyapunov criterion for ISS systems Jl98Tl ). Let V : R" -> E be a 

continuously differentiable function such that 

ai(IMI)<V(*)<a 2 (IWI) (2.14) 

VV(x)f{x,u) < -W(x), V||jc|| >p(||w|I) > (2.15) 

for all (x,u) e R" x R™, where a\, a% e ( K a o, p&'K, and W continuous and positive 
definite on R". Then, the nonlinear system ( I2.7QD is ISS with y — a~ oa2°p. 

Property 2.1 (ISS of cascaded ISS systems lfl98Tl ) 

Tt , (v(t) = f(v(t),w(t),u(t)), v(t)eW 

Let the system < (2.16) 

\w(t) = g(w(t),u(t)), w(t)eR" 

be such that the v-subsystem is globally ISS w.r.t. the input (w,u), and the w- 
subsystem is globally ISS w.r.t. the input u. Then, the cascade system ( I2.76D is glob- 
ally ISS w.r.t. the input u. 
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Property 2.2 (IOS of cascaded IOS systems [89]). Let the system 



v(t) =f(v(t),p(t),u(t)), v(t)eE s 

w(f) = g(w(t),u(t)), w(t)eR" 

pit) = hi(w(f),u(t)) 

q(t) = h 2 (v(t),p(t),u(m 



(2.17) 



be such that the v -subsystem with the input (p,u) and output q is IOS, and the 
w '-subsystem is IOS w.r.t. the input u and the output p. Then, the cascade connec- 
tion \2.16\ is IOS w.r.t. the input u and the output (p, q). 

Similarly, the concepts of finite-gain stability and the //«, -system norm of a given 
system are defined. 



Definition 2.9 (Finite-gain £ stability, £2-gam, //^-system norm [200]). The 

system E defined in Equation ( 12.101 ) with xo = is called 

• finite-gain Si stable if there exist scalars y > and K > such that 

ILy«llx 2 <yll"(OILe 2 +# (2.1 8) 

holds for all input/output pairs (u,y) of E, and 

• the smallest number y > that satisfies Inequality J2.18I ) for all input/output 
pairs (u,y) is called the Jji-gain or, if the system (12.1 Ob is linear, the Hco-norm 
of the system E, denoted by IliTH/^ . o 

The following theorem is useful for studying the stability properties of feedback 
interconnections of stable systems. 



Theorem 2.3 (Small-gain theorem [97]). Let E\ and Ei be finite- gain £ stable 



systems with respect to the input/output signals (u\,y\) and (U2,yi) and the X2- 
gains y\ and y%. Then, the feedback interconnection (u\ — y 2 + r\), (u 2 — yi+ r 2 ) is 
finite-gain stable ify\y 2 < 1. 



Lyapunov-Type Stability of Non-equilibrium Solutions 

The following notion describes the stability of all possible solutions of the sys- 
tem ( 12.101 ) with respect to each other, for a given input u but starting from different 
initial conditions. 

Definition 2.10 (Incremental global asymptotic stability [5]). The system (12.10b 
is called incrementally globally asymptotically stable (6GAS), if there exists a func- 
tion/? € 7CX such that for all u, and all pairs (x u (to),x u (to)) the relation 

\\x u (i) - x„(i)\\ < p(\\x u (to) - x u (t )\\,t- 1 ) Vf > t 

is satisfied. 
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Sometimes, only the stability of a single solution is of interest. 

Definition 2.11 (Globally asymptotically stable solutions lll59ll ). A solution x u (t) 
of the system (12.10b for the input u is called globally asymptotically stable, if for all 
initial times to there exists a function (3 e 'KH such that every solution x u (t) starting 
from an arbitrary initial condition x u (to) satisfies the relation 

11**0) - x u (t)\\ < P(\\x u (t ) - X„(t )\\,t- to) Vt > t . 

If the function (3 does not depend on to, then the solution x u (t) is called globally 
uniformly asymptotically stable. o 

The following property is stronger than the stability of solutions and will be instru- 
mental in obtaining the tracking properties for piecewise affine systems. 

Definition 2.12 (Convergence 14a. Il59ll ). The system ( 12.101 1 with the piecewise- 
continuous input u e PC m is said to be 

• convergent if for all inputs u e PC m there exists a solution x u satisfying the 
following conditions 

1. x u (t) is defined and bounded for all t eR, 

2. x u (t) is globally asymptotically stable. 

• uniformly convergent if it is convergent and, for all inputs u e PCm, x u is glob- 
ally uniformly asymptotically stable. 

• exponentially convergent if it is convergent and, for all inputs u e fC m , x u is 
globally exponentially stable. o 

Uniform convergence implies that the steady-state solution x u of the system (12.10b is 
uniquqj and depends only on the input signal u. In other words, a uniformly conver- 
gent system "forgets" its initial condition. If the input u to a uniformly convergent 
system is periodic with the period T, then its steady-state solution x u is periodic 



with the period T B15911 . In particular, if the input is constant, then the steady-state 
solution is constant. 



Theorem 2.4 (Sufficient condition for convergence [159]). Consider the sys- 
tem ( 12.701 ) and let f(x,u) be continuous with respect to u e R m and locally Lip- 
schitz with respect to x e R". Moreover, let f(x,u) be C with respect to x in 
(x,u) € (R"\,T) X W l , where r C R" is a set consisting of a finite number of hy- 
pe rplanes given by equations of the form h T x + kj = 0, for some hj € R" and kj e R, 
j — l,...,k. Suppose that there exist matrices P — P T > and Q = Q T > such that 

P^-{x,u) + ^—{x,u)P<-Q, Vx e R"\r, u e R". (2.19) 

ox ox 



1 Note that while (5GAS is closely related to convergence, a (5GAS system does not necessar- 
ily have a unique steady-state solution. Rather, all steady-state solutions converge to each 
other. 
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Then, the system ( 12.701 ) is globally exponentially convergent for the class of inputs 

u e rc,„. 

The inequality ( 12.191 ) is known as the Demidovic condition. For linear systems, it 
reduces to the Lyapunov inequality. 



Absolute Stability 

Consider the following multi-input/multi-output strictly proper linear dynamical 
systems with the same number of inputs and outputs in closed loop with a nonlinear 
function <p(-) in the feedback branch, 

(x(t) = Ax(t) + Bu(t), x(0) = xo 
y(t) =Cx(t) (2.20) 

u(t) =-<p(y(t)), 

where A e R" x ", B e W xm , C e R qX ", and q - m, that is, the system has the same 
number of inputs as outputs. It is assumed throughout the monograph that the func- 
tion <p(-) is 

• decomposed, namely (p(u) - (<fi(ui), . . . ,(p m (u m )) , and 

• sector-bounded within the first and third quadrant, namely <p e [0, k]. 

The diagonal matrix S of inverse sector bounds is defined to be 

S = diag(l/fci,...,lA m ). (2.21) 

Definition 2.13 (Absolute stability |97]). Consider the system (12.20b . where the 
pair (A,B) is controllable, and the pair (C,A) is observable. The system ( 12.20b is 
said to be absolutely stable in the sector [0, k], if the origin is a globally uniformly 
asymptotically stable equilibrium point for all functions ip e [0, k]. o 

The sector requirement in the above definition is strict, and the nonlinear function 
must obey it at every time. 

Theorem 2.5 (LMI-based criterion for absolute stability |29]). The system ( 12.201 ) 
is absolutely stable in the section [0,k], if there exists a solution X — X T > to the 
LMI 



-(A T X + XA) 



A >0. (2.22) 



2S 



The feasibility of the LMI (12.22b is equivalent to strict positive realness of the trans- 
fer function T(s) = C(sl - A)~ l B, and equivalent to the strict passivity of the linear 
subsystem of the system ( 12.20b . 



Chapter 3 

Reconfigurable Control Problem and 

Fault-Hiding Approach 



Abstract. This chapter defines the reconfiguration problem, which consists in the 
recovery of the nominal stability, setpoint tracking, and performance properties by 
the reconfigured closed-loop system. First, reconfiguration problems are formulated 
based on model-matching ideas. Second, the fault-hiding concept is introduced and 
the reconfiguration problems are formulated in this context. The fault-hiding con- 
cept is the basis for all reconfigurable control solutions presented in later chapters. 
The general properties of the fault-hiding approach are explained in more detail. 

3.1 General Dynamical Operators 

It will be useful to refer to dynamical systems from an input/output perspective 
without specifying inner details. Dynamical operators are used for this purpose. In 
this monograph, operators may be regarded as an abbreviated way of specifying 
relationships between input and output signals without writing the detailed state- 
space model. Nevertheless, it should be kept in mind that the internal dynamics are 
always realised by a state-space model throughout this monograph. 

Definition 3.1 (Dynamical operator). A dynamical operator Qp is a map with 
memory Q P : J% c (R m ) x £}° c (R k ) x R" -> £ l f c (R*) x £ l ° c (RP) that maps input 

l ° c (R m ), d(t) e £ l ° c (R k 
signals y(t) e £f c (R*), z(t) e £}° C (RP), 



signals u c (t) e £ l ° c (R m ), d{t) e £[ oc (R k ), and an initial condition x e R" to output 



(y,z) = Q P (u c ,d,xo). (3.1) 

The memory is represented by an internal state variable x, whose initial condition 

is xq. o 



3.2 Nominal Nonlinear Systems 

This monograph is concerned with dynamical systems with inputs and outputs that 
are represented by time-invariant ordinary differential equations. 

J.H. Richter: Reconfigurable Control of Nonlinear Dynamical Systems, LNCIS 408, pp. 33 ^54| 
springerlink.com © Springer- Verlag Berlin Heidelberg 2011 
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Definition 3.2 (Nonlinear dynamical system I97L Il86tl ). A nonlinear dynamical 
system is a set of first-order ordinary differential equations (ODEs) 



Ep : • 



x(t) =f(x(t),u c (t),d(t)) 
y(t) = h(x(t)) 
zit) =h z (x(t)), 



(3.2) 



where x(t) e R" is the state, u c (t) e R m is the control input, d(t) e R k is the dis- 
turbance input, y(t) e R'' is the measured output, z(t) e R'' is the controlled output, 
and 



x(0) = xo 
is the initial condition. 
The nonlinear dynamical system is shown in Fig. 13.1 



(3.3) 
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Fig. 3.1 Nonlinear dynamical system. 
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The system ( 13.2b is called 

• continuous if the function /(-,-, •) is continuous in all variables, 

• smooth if /(■,-,■)€ C°°, 

• linear if all functions f (■,-,■), h(-,-, •), h z (-,-,-) are linear in their arguments, 

• nonlinear if at least one of the functions /(-,-, ■), h(-,-, •), h z (-,-,-) is not linear in 
its arguments. 

A classical solution of ( 13.2b on the time interval [to,ti] is a continuously differ- 
entiable function x : [to,t\] — > R" that satisfies (13.2b . Every continuous nonlinear 
system (13.2b with initial condition ( 13.3b admits a classical solution, which is unique 
if the function/ is locally Lipschitz 14 ill . 

Example 3.1 (Nonlinear model of a ship). The ship model defined in Equa- 
tions ( li.^D - rfX"?! ) has the special form 



x(t) = g(x(t)) + B sat(u,u,u(t)) + B d d(t) 

<jr(t) =x 3 (0 

y(t) =C(x(t) T ,m) T 

Z (t) =c z (x(t) T ,m) T , 



(3.4) 



3.3 Nominal Closed-Loop System and Assumptions 
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where x = (v,w,r) T , u - (u\,U2,u^) T , u- (-1,-1, -\) T , u - (1,1, l) T , y - (v,r,tf/) T , 
Z — (v,if/) T , and d = (a v ,a w ) T . With reference to the system ( 13.21 ), the function f has 
the special form f(x,u,d) - g(x) + B sat(u,u,u) + Bd. The autonomous part g(x(t)) 
of the model is nonlinear, whereas the saturated control input sa.t(u,u,u(t)) and the 
disturbance input d(t) enter linearly. The output functions h(-) and h z (-) are linear. 
The nonlinearities of the autonomous part of the system are bilinear, that is, they 
consist of products of state variable pairs. In order to analyse the system, the vector 
field defined by the function g(-) is illustrated. Fig. 13.21 shows the directions of the 
vector field. 




-10 -10 v 

Fig. 3.2 Illustration of ship vector field by means of flow vectors. 



All reconfiguration methods presented in this monograph concern nonlinear sys- 
tems. However, instead of the general form (I3.2l >. two subclasses of nonlinear 
systems are used in the development of reconfigurable control strategies. These 
classes of nonlinear systems are Hammerstein-Wiener systems and piecewise affine 
systems. 



3.3 Nominal Closed-Loop System and Assumptions 



In order to formulate the reconfiguration problem, the nominal plant models stated 
in the previous section is complemented with a nominal controller to obtain a nomi- 
nal closed-loop system. Consider the nominal controller 
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(j,(r) =f c (x c (t),y(i),r(t)) 

u c (t) = h c (x c (t),y(t),r(t)) 

x c (0) = x c0 

for the nominal nonlinear plant (13.2b . with that is associated an operator Qc '■ 
£ l ° c {W) x £j° c (W) x W c -> £ l f c (R m ) that maps the measurement signal y e 
f, , " c (W), the reference input r e £J" C {W), and an initial condition jc cU £ R" to a 
control input signal 

u c = Oc(yc,r,Xco), u c e f}? c (R m ). (3.6) 

The nominal controller ( 13.5b attached to the nominal plant (13.2b gives rise to the 
nominal closed-loop system El - (Ep,Ec), with that is associated the operator 
Q L : £'l' c (W) x £[ oc (R k ) xE"x W c -> £.'{> C (R P ) that maps the reference signal 
r € Xj OC '(]R p ), the disturbance input d € £'" c (R k ), and initial conditions jco € E," and 
X(-o e K" r to the output 

z = Q L (r,d,x Q ,x c o), z e £ l f c (RP). (3.7) 

Assumption 3.1. The nominal closed-loop system 27/, = {Zp,Sc) formed by the no- 
minal nonlinear plant ( 13.21 ) and the nominal nonlinear controller ( 13.51 ) is 755 with 
respect to the reference input r and the disturbance input d. Furthermore, the track- 
ing error 

e z (t)±r(t)-z(t) (3.8) 

satisfies desirable steady-state tracking, performance, and disturbance rejection 
properties for arbitrary initial conditions xq and x c q. 

The desirable closed-loop properties are not further specified, since they are 
application-dependent. The performance specifications may involve overshoot lim- 
its, settling times, or Hi gains for the transient response, and the tracking properties 
may involve exact steady-state tracking or impose nonzero limits on the steady-state 
tracking error, each with or without disturbances. Whatever the nominally attained 
tracking and performance objectives are, the goal of reconfigurable control consists 
in recovering these nominal properties. 



3.4 Faults in Nonlinear Systems 

According to the IFAC Technical Committee SAFEPROCESS and DIN 40041 |4f 
a fault is "an unpermitted deviation of at least one characteristic property of the sys- 
tem from the acceptable, usual, standard condition". In other words, a fault causes 
the system behavior to deviate from its desired behavior in such a way that the sys- 
tem cannot fully serve its purpose with the fault. A failure is "a permanent interrup- 
tion of a system's ability to perform a required function under specified operating 
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conditions". Therefore, every failure is also a fault, but not vice versa. In this mono- 
graph, both faults and failures are considered and modelled in closely related ways. 
It is assumed that the faults and the failures appear abruptly and remain effective 
once they have occurred. From here on, when referring to faults, it is tacitly under- 
stood that faults and failures are meant. 

Faults and failures may occur on multiple levels, namely on the component level, 
at the aggregate system level that includes all system components, and at any inter- 
mediate aggregation level that includes a subset of the system components. In this 
monograph, faults and failures at the level of actuator and sensor components are 
considered, and the goal of fault-tolerant control consists in preventing component- 
level faults and failures to develop into system-level failures. 

In the literature on fault-tolerant control, two alternative fault models prevail. 
In additive fault models, the fault is considered as a disturbance-like input that is 
added to the state-space system equation 18311 . However, the class of severe faults 
that may cause a loss of closed-loop stability is better represented by multiplica- 
tive models, since additive faults cannot lead to a loss of closed-loop stability if 
the closed-loop system is ISS 114111 . Therefore, the multiplicative fault modelling 
framework is adopted in this monograph. It is remarked that additive fault models 



are well-suited for fault diagnosis purposes 114111 . 



Definition 3.3 (Actuator faults in nonlinear systems). An actuator fault is an 
event occurring at time tf that changes the function /(•,-,) to the faulty function 
//(■,-,-) of the same dimensions, where ,//(•,(),•) =/(•, (),•)■ o 

In other words, an actuator fault cannot change the autonomous behaviour of the 
nonlinear system, nor can it change the disturbance effect. 

Definition 3.4 (Sensor faults in nonlinear systems). A sensor fault is an event 
occurring at time tf that changes the nominal measurement function h(-) to the 
faulty measurement function &/(■) of the same dimensions. o 

Typical technological examples for faults are stuck valves, failed motors, failed sen- 
sors, and changed characteristics of such devices. They lead to the faulty nonlinear 
system 

'*/(*) =ff(xf(t),u f (t),d(t)) 

Zpf -Ay/it) =*/(*/(*» (3-9) 

z f (t) =h z (x f (t)) 

Xf(0) = xo. 

Associated with any faulty dynamical system (nonlinear, linear, Hammerstein- 
Wiener, piecewise afhne) is a dynamical operator Q P j : .£ j OC (It m ) x £ l ° c (R k ) xR"^ 
£,^ c (R^)x£ l ° c (MP) that maps input signals u f e £[ oc (R m ), d e £^ c (R k ), and an ini- 
tial condition x € R" to output signals y f e £% C (R*), Zf 6 £}° C (R P ), 

(yf,Zf) = Qpf(u f ,d,x ). (3.10) 
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The operator will be useful in the general definition of reconfigurable control prob- 
lems in the following section. 

The occurrence of faults at the time tf changes the nominal plant to the faulty 
plant whose model was stated in Section [3~4l above. The reconfigured controller is 
determined as soon as the diagnostic result is available, but its synthesis requires 
some time. Without loss of generality, the time f, when the reconfigured controller 
becomes available is zero, t r - 0. Therefore, the event times of the fault, availabil- 
ity of the diagnosis results, and the availability of the reconfigured controller are 
ordered in the sequence tf < to < t r — 0. These relations are shown in Fig. 13.31 
where the shown sample trajectory is governed by nominal closed-loop dynamics 
El - (£p,£c) f° r t < tf. The deviation of the system state from the specifications is 
unavoidable during the time interval (f/,0). 



X u 



i 



Nominal dynamics 

Faulty dynamics 



t 



tn 







t 



Fig. 3.3 The faulty system deviates from the specifications. The solid solution is governed 
by nominal dynamics, whereas the dashed solution is governed by faulty dynamics. 



Example 3.2 (Nonlinear models of a ship subject to faults). In the nonlinear ship 
model ( li.7D -( T77?l ), faults are introduced as follows. The failure of the yaw rate gyro 
sensor, fault f\, leaves the system dynamics ( I7.7l )-( f7~?l ) unchanged but changes the 
output equations to 



y/i(t) = v(t) 

y f2 (t) = 
y/3 (j) = ^(0> 



(3.11) 
(3.12) 
(3.13) 



meaning that the gyro sensor outputs the value zero after its failure. 

A blockage of the rudder M3 in some blockage position p e [— 1, 1] between maxi- 
mum clockwise rudder moment and maximum counter-clockwise rudder moment, 
corresponding to the fault f% is modelled by the dynamical equations changed 
from OHE2P to 



v f (t) = —Wf(i)rf(f)-—Vf(f)+ (u f i(t) + u f2 (t)) + a v (t) 

mn "in mn 

mn drr 

w f(t) = v f (t)r f (f) w f (t) + a w (i) 

m 2 2 m 2 i 



(3.14) 
(3.15) 
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mil — mri A3 lb \ 

f f (t) = — -v f (t)w f (t)-^-r f (t) + [-(u fl (t)-u f 2(t)) + p) (3.16) 

W33 OT33 WI33 \2 / 

(3.17) 



if/ f (t) = r f (t). 



The fault fa meaning a floating rudder is obtained by the special case p — 0. 

It is physically clear that the compensation of a blocked rudder that causes a 
nonzero yaw moment requires asymmetric thrust forces, to which physical limits are 
set by the actuation range limits. 

To illustrate the effect of faults on the ship behavior, simulations of the nonlinear 
model of the ship subject to a floating rudder (fa) is shown in Figs, \3.4\ and \3.5\ 
where a proportional and integral control law is applied that succeeds in steering 
the fault-free ship clear of a physical obstacle. The controller uses the rudder to act 
on the yaw rate, and it uses the thrusters to act on the surge velocity. The loss of 



0.4 
0.2 



^-^_ -<--^^_— 



10 20 30 40 50 60 70 80 90 100 




10 20 30 40 50 60 70 80 90 100 







10 20 30 40 50 60 70 80 90 100 



0.5 






10 20 30 40 50 60 70 80 90 100 



1 



to 0.5 
S n 






10 20 30 40 50 60 70 80 90 100 




Fig. 3.4 Nonlinear nominal and faulty ship responses in terms of the surge, sway, and yaw 
velocities (fa). 
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Fig. 3.5 Nonlinear nominal and faulty ship responses in absolute coordinates (f$). 



rudder effectiveness occurs at tf = 20 s and is clearly visible in Fig. \3.4\ Therefore, 
the yaw moment cannot be applied, and the ship course cannot be controlled after 
tf, with the consequence that the ship runs into the obstacle (Fig. IJ.5D . 

While the nonlinear system could in principle represent every fault aspect of in- 
terest, the development of reconfigurable control approaches for general nonlinear 
systems is very hard. The difficulty is due to two major reasons. First, the reconfig- 
uration methods must guarantee closed-loop properties like stability and tracking. 
Second, the reconfiguration methods must be capable of autonomous implementa- 
tion on computing hardware. In other words, the reconfiguration involves automatic 
controller synthesis. The methods developed in this monograph for Hammerstein- 
Wiener systems and piecewise affine systems satisfy both requirements. 



3.5 Reconfiguration Problems Based on the Model-Matching 
Idea 

The standard approach to reconfigurable control consists in replacing the nominal 
controller Eq with a new reconfigured controller 



Ecr '■ 



Xcr(t) =fcr(Xcr(t),yf(t),r(f)) 

Ufif) = h cr (x cr (t),y f (t),r(t)), 

X cr (0) = Xd) 



(3.18) 



3.5 Reconfiguration Problems Based on the Model-Matching Idea 
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Fig. 3.6 The model-matching approach to reconfigurable control: a) nominal closed-loop 
system, b) faulty plant controlled by nominal controller prior to reconfiguration, c) reconfig- 
ured closed-loop system with new controller. 



at reconfiguration time, with that is associated an operator Qc r 



rloc 



(W) x 



£}° C {W) x R" c -> £ l ° c (R m ) that maps the measurement signal y f e £[ oc (Ri), the 
reference input r e X. I " C (R P ), and an initial condition x c ,-o e R" c to a control input 
signal 



u f = Q C r(yf,r,x crQ ), u f e £f c (R m ) 



(3.19) 



Fig. l3.6l illustrates how the nominal plantZ/> in Fig. l3.6b ) changes to the faulty plant 
Epf in Fig. 13. 6b ) when the fault occurs. The reconfiguration step after fault diagnosis 
consists in the online synthesis and implementation of a reconfigured controller Zcr 
as shown in Fig. 13. 6b ). 

The new controller gives rise to the reconfigured closed-loop system (Zpf,Zcr) 
with that is associated the dynamical operator Q Lr : £'" C (R P ) x £ l ° c (R k ) xE"x 



H" c — > -C" C (R P ) that maps the reference signal r e Jj" c (R p ), the disturbance input 
d e £}{' c (R k ), and initial conditions xq 6 R n and x cr o e R" c to the output 



loc , 



Zf = Q Lr (r,d,x ,x cr0 ), Zf e £'(' C (R P ). 



(3.20) 



Formally, the following reconfiguration goals are formulated, referring to the non- 
linear system d3.2b and the dynamical operator (13.1b that is here used to represent 
the input/output mapping of the nonlinear plant. 

Problem 3.1 (Stability recovery). Consider the nominal system 2> defined in 
Equation (13.2b . and the faulty system Zpf defined in Equation ( 13.91 ). both with the 
initial condition xq. Find a reconfigured controller Ecr of the form ( 13.181 1 such that 

(Epf,I C r)lSSw.r.t.(r,d) 



for any initial condition jc cr o- 
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Fig. 3.7 The reconfiguration problem starts at the initial time t = and the initial condition xq. 



This problem requires that the reconfigured closed-loop system be input-to-state 
stable with respect to its input (r,d). 

Problem 3.2 (Exact closed-loop performance and tracking recovery). Consider 
the nominal system Ep of the form ( 13.2b described by the operator l l3.ll ). the faulty 
system Epf of the form ( 13.91 ) described by the operator ( I3.10I ). both with the initial 
condition xq, and the nominal controller Ec of the form ( 13.5b described by the op- 
erator (13.6b with initial condition jc cU . Find a reconfigured controller Ec,- described 
by the operator ( 13.19b with a suitable initial condition x cr o such that 

Q Lr (;-,X Q ,Xco) - Q L (;-,xo,x c rt). 

This problem requires that the behaviour of the reconfigured closed-loop system 
exactly matches the nominal closed-loop behaviour. In other words, the nominal 
tracking properties, the nominal performance, and the nominal disturbance rejection 
properties are ideally recovered by the reconfigured closed-loop system. 

Fig. 13.71 illustrates that the reconfigured controller starts with the faulty plant 
being in the state x(t r ) - x(0) - xq, since the system state deviates from the spec- 
ifications. In the ideal case of perfect reconfiguration, the reconfigured system tra- 
jectories would follow nominal dynamics (solid in Fig. 13.7b . Realistically, the re- 
configuration is not ideal so that the reconfigured system trajectories differ from the 
nominal ones (dotted in Fig. 13.7b . The difference signal is called xa, see Fig. 13.71 

This general formulation of Problems l3.1l and l3.2l has been the basis of numerous 
prior approaches to reconfigurable control, see Chapter 11.61 The problem formu- 
lation is further refined in this monograph as described in the next section. The 
approach taken in this monograph employs an explicit model for the difference Xa- 



3.6 Fault-Hiding Idea 

Instead of directly solving the reconfiguration problems 13 . 1 1 and [3~2l through model 
matching, a special structure is imposed on the reconfigured controller Ec r , which 
is factorised into the original nominal controller Ec and a reconfiguration block 
Er: Ec r = (Er,Ec). The reconfiguration approach adopted here, therefore, consists 
in augmenting the closed loop by means of a dynamical reconfiguration block, as 
shown in Fig. 13.81 
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Fig. 3.8 Fault-hiding concept: a) Nominal closed-loop system, b) faulty plant controlled by 
nominal controller prior to reconfiguration, c) reconfigured closed-loop system with recon- 
figuration block. 



Definition 3.5 (Nonlinear reconfiguration block). A nonlinear dynamical system 



of the form 



m =m{t),u c {i), yf (f)) 

u f (t) = h( U (£(t),u c (t)) 
y c (t) = h iy m),yf(t)) 



(3.21) 



where g(t) e R w , is called a nonlinear reconfiguration block for a given nominal 
plant ( 13.2b and a corresponding faulty plant ( 13.9b . if it connects the faulty plant ( 13.9b 
to the nominal controller ( 13.51 ) through the common signal pairs (iif,yf) and (u c ,y c ), 
and if it satisfies the inactivity conditions 



//(v,0 = /(.;;■) 
*/(') = *(■) = 



> u f (t) = u c (t) 

>y c (t)=yf(t) 



(3.22) 
(3.23) 



for a suitable choice of its parameter functions fg (•,-, •), hg u (-,-), and hgy(-,-). o 

The reconfiguration block translates the control input u c from the nominal controller 
into a meaningful control input Uf for the faulty plant and corrects the measurement 
yf from the faulty plant, so that the nominal controller sees the nominal plant be- 
havior at the output y c (Fig. 13.8b )). The inactivity conditions guarantee that the 
reconfiguration block does not affect the controller prior to faults. They ensure that 
the reconfiguration block may be implemented and run also during nominal plant 
operation, and its activation amounts to a change of its parameter functions f ((-,-,■), 
/»£„(-,•), and h (y {-,-). 

Associated with the reconfiguration block ( 13.211 1 is the operator Qr : £}° C (K") x 



£ l ^ c {W) x W 



ZT (R m )x-Cf c (R q ), 



(uf,y c ) = Q R (uc,yf,{Q). 



(3.24) 
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Fig. 3.9 Due to the fault-hiding concept, the nominal controller is irrelevant for reconfig- 
uration block design. The nominal plant a) and the reconfigured plant b) are compared in 
open-loop configuration. 



Together with the faulty plant d9.7| l, the reconfiguration block 1 13.241 ) forms the 
reconfigured plant Ep r - (£pf,Zp) described by the operator Qp r : £}° c (R m ) x 
X.' 0C (R k ) xR"x R" -» £' 0C (R«) x X,' oc (RP) 



(y c ,Zf) = Qpr(u c ,d,xo,€o), 



(3.25) 



which is connected to the nominal controller Eq defined in Equation (13.51 ) by means 
of the signal pair (u c ,y c ) (see Fig. l3.9b . On the one hand, this point of view is use- 
ful for reasoning about appropriate synthesis of the reconfiguration block. Namely, 
the comparison of the nominal plant behaviour and the reconfigured plant be- 
haviour will guide the synthesis of the reconfiguration block. On the other hand, 
from an implementation point of view, the combination (Zr,Ec) - Ecr represents 
the reconfigured controller Zq that is implemented. Associated with the com- 
plete reconfigured closed-loop system £lfh - i^Pf,^R,^c) is the dynamical op- 
erator Q LFH : £!™(RP) x £^ c (R k ) x R" x R ,v x R"< ; -» £'(> C (W) that maps the ref- 
erence signal r e £j (MP), the disturbance input d e £ l ° c (R k ), and initial conditions 
jco e R", x C rO 6 K" r , and £ s R w to the output 



z f = QLFH(r,d,x ,£o,Xcro), Zf e £f c (RP) 



(3.26) 



The following goals ensure that the original controller "sees" the fault-free plant 
behavior when attached to the reconfigured plant. They are deliberately introduced 
because they are key for keeping the nominal controller a part of the overall re- 
configured closed-loop system. They will be instrumental in solving Problems 13. II 
andl3~2l 



Definition 3.6 (Weak fault-hiding goal). The reconfigured plant Z>, satisfies the 
weak fault-hiding goal, if the relation 

Vjco, 3ft : £% r (;0,xo,€o)-&p(;0,xo) = 



holds. 
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In words, for every plant initial condition Xo, there must exist a matching initial 
condition £b of the reconfiguration block, such that the reconfigured plant behaviour 
is identical to the fault-free plant behaviour in the absence of disturbances. The 
term "weak" fault-hiding indicates that the initial state £o of the reconfiguration 
block depends on the initial state xq of the faulty plant. Furthermore, the disturbance 
behavior is not required to be equal in the nominal and reconfigured plants. The 
weak fault-hiding goal is used in Parts II and III of this monograph. 

The weak fault-hiding goal is a relaxation of the following asymptotic fault- 
hiding goal. 

Definition 3.7 (Asymptotic fault-hiding goal). The reconfigured plant Z>, satisfies 
the asymptotic fault-hiding goal, if the relations 

Vxo,3ft:^(-,0,xo,£o)-fl£(-,0,*o) = 

V*0, V& * la : Hm (fi£(-,0,* ,?o) -^(-,0,x )) = (3.27) 

hold. o 

In other words, in addition to weak fault-hiding, asymptotic fault-hiding requires 
that for all nonmatching initialisations of the reconfiguration block, the difference 
between nominal and reconfigured plant measurements vanishes asymptotically. 
This goal is used in Part II of this monograph. 

A stronger version of the asymptotic fault-hiding goal is given by the strict fault- 
hiding goal used in Chapter|4]and Part II, where £o is not allowed to depend on xq, 
and where, in addition, also the disturbance behaviour must be recovered. 

Definition 3.8 (Strict fault-hiding goal). The reconfigured plant 2> r satisfies the 
strict fault-hiding goal, if the relation 

3^o such thatVxo : flE.(v,*o.£o)-0p(v,*o) = (3.28) 

holds. o 

It follows from the definitions that strict fault-hiding implies asymptotic fault- 
hiding, which in turn implies weak fault-hiding. In the fault-hiding approach a re- 
configuration block is sought that satisfies one of the fault-hiding goals. The ap- 
proach offers the following advantages over the redesign approach: 

• If the nominal controller is a human operator, e.g. a pilot, then the fault-hiding 
approach reduces the difficulty linked to dealing with a faulty system, because 
the reconfigured system behaves like the nominal system. As a consequence, it 
reduces training efforts for large numbers of fault scenarios and stress during 
fault situations. 

• The design of the reconfiguration block Er is independent of the controller and, 
therefore, usable with any nominal controller (consider different people taking 
shifts in operating the plant). 
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• The fault-hiding strategy opens the way for minimum-invasive alterations of 
the loop. If the controller is automatic and the fault affects small parts of the 
plant only, then large parts of the nominal controller are still valid and should 
be kept instead of performing a complete redesign, which may be costly and 
time-consuming. 

The reconfiguration block is determined during its synthesis such that the fault is 
hidden from the nominal controller. Furthermore, additional closed-loop objectives 
strongly influence its synthesis, which are described next. 



3.7 Stability, Tracking, and Performance Recovery in the 
Fault-Hiding Approach 

The definitions of the fault-hiding goals have been formulated in open loop. Never- 
theless, the final objective in reconfigurable control consists in the recovery of desir- 
able properties of the nominal closed-loop system El - (Ep,Ec) by the reconfigured 
closed-loop system Elfh = (£pf,£p.,£c)- Therefore, the Problems 13 . 1 1 and |3 .21 are 
next adapted to the fault-hiding context; the exact performance recovery problem is 
also split into the aspects of setpoint tracking and performance recovery. The first 
important property is stability. 

Problem 3.3 (Stability recovery by fault-hiding). Consider the nominal plant 2> 
defined in Equation ( 13.21 ) and the faulty system Epf defined in Equation ( 13.91 1. Find 
a reconfiguration block Ep of the form ( 13.211 1 such that for all nominal controllers 
Eq that satisfy Assumption l3.11 

{(E P ,E C ) ISS w.r.t. (r,d)} => {(Ep f ,E R ,E c ) ISS w.r.t. (r,d)}- 

This problem requires that the reconfigured closed-loop system be input- to- state sta- 
ble whenever the nominal closed-loop system has the same property. Furthermore, 
performance and tracking are important properties to be recovered. Setpoint track- 
ing refers to the ability of the system to asymptotically follow a constant reference 
signal in steady-state. 

Problem 3.4 (Asymptotic setpoint tracking recovery by fault-hiding). Consider 
the nominal plant Ep with the initial condition xq described by the operator (13.1b 
and the faulty system Epf with the initial condition xq associated with the opera- 
tor ( 13.10b . Let Assumption ^ . 1 I be satisfied, and let 

Zf = LPH (r,d,xo,^o,Xco) (3.29) 

z = QL(r,d,xo,Xco) (3.30) 

be the outputs of the reconfigured and the nominal closed-loop systems. Find a 
reconfiguration block Ep described by the operator (13.241 ) such that for all admissible 
controllers Eq, it follows that 



3.8 Basic Structure of Fault-Hiding Solutions 47 

Vr(f) = rp(t),d(t) = dp(t),x ,Xco,£o ■ lim (z/(0 - z(0) = 0. (3.31) 

Performance refers to overshoot and settling time properties of transients. 

Problem 3.5 (Exact performance recovery by fault-hiding). Consider the nomi- 
nal plant Ep with the initial condition xq described by the operator (13. lb . the faulty 
system Epf with the initial condition jco described by the operator (13.10b . Let Ec be 
an admissible nominal controller Ec with the initial condition x c o described by the 
operator ( I3.6I ). in the sense that Ec satisfies Assumption l3.ll Find a reconfiguration 
block Er with the initial condition £o described by the operator d3.24b such that for 
all admissible controllers, it follows that 

flLwr(v,-,£o,-)-flL(v.v) = 0. (3.32) 

Note that all three previous problems are formulated independent of any specific 
controller. By this formulation, reconfiguration solutions are sought that work with 
any admissible controller satisfying Assumption l3.ll 



3.8 Basic Structure of Fault-Hiding Solutions 

This section presents a general structure for the reconfiguration block ( 13. 2H for 
reconfiguration after actuator as well as sensor faults that is used throughout this 
monograph. Its particular realisation varies with the system class and the considered 
types of faults. Minor extensions of this structure will be made, but the underlying 
idea is well illustrated in the following simplified way. 

The idea shown in Fig. 13.101 consists in realising the reconfiguration block Er 
by means of a virtual sensor £$ an d a virtual actuator Ea ■ The virtual sensor Es 
consists of a model for the faulty system augmented by output injection, and the 
measurement from the faulty plant is replaced by its estimate. The virtual actuator 
Ea consists of a reference model for the nominal plant as well as feedback of the 
difference between the state of the reference model and the state estimate of the 
observer and feedforward of the control input u c . In summary, Er - (E$ ,Ea). 



Definition 3.9 (Nonlinear virtual sensor). The nonlinear virtual sensor is the 
nonlinear dynamical system 

Is . (x f (t) = f f (x f (t),u f (t),0) + L(y f (t) -y f (t)) 
\y f (t) = h f (x f (t)) 

with the initial condition x/(0) = x/q. o 



The virtual sensor contains a copy of the faulty plant model ( 13.9b for zero distur- 
bance (since the disturbance is generally not available for measurement) augmented 
by linear output error injection through the matrix gain L. 
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Fig. 3.10 Structure of the activated reconfiguration block. 
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Definition 3.10 (Nonlinear virtual actuator). The nonlinear virtual actuator 


is the nonlinear dynamical system 




x(t) = f(x(t),u c (t),0) 


S A : • 


11/(0 =M^(0 + iV« c (0 (3.34) 




MO =h(x(i)) 


with the difference state 


x A (t)±x(t)-Xf(t) (3.35) 


and the initial condition x(0) = JC/n. o 



The virtual actuator contains a reference model 



2> :{*(/) = /(*(*), «c(0,0) 

x(0) = Xfo 



(3.36) 



for the nominal plant d3.9l l with the state x for zero disturbance. Furthermore, linear 
state feedback of the difference state Q.35I ) through the matrix gain M and feed- 
forward of the control input u c through the matrix gain N to the plant input Uf are 
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applied. The virtual actuator outputs the nominal measurement y c . In order to sat- 
isfy the inactivity conditions ( I3.22I ). (13.23b of the reconfiguration block definition, 
the virtual actuator equations are modified to produce Uf(t) - u c (t) and y c (t) - y/(t) 
before the detection and isolation of any faults. 

Both the observer and the virtual actuator involve linear feedback and feedfor- 
ward gains L, M, and N, which are free to be designed in a suitable way such 
that as many as possible of the Problems l3.3l43.5l are solved. The use of more gen- 
eral nonlinear feedback and feedforward laws is conceivable, but not considered in 
this monograph, bearing in mind the requirement that the reconfigured controller 
must be found autonomously and online as fast as possible (recall from Chapter [T31 
page Q that due to tf < to < 0, the faulty system generally deviates from its desig- 
nated operating regime until the reconfigured controller is available at t — 0). 

Both the observer ( 13.331 ) and the virtual actuator are provided with the same ini- 
tial condition Jc/o at reconfiguration time t — 0. Ideally, the true plant state at that 
time is used. Since the state is generally not available for measurement, the initial 
condition must be guessed. The initial guess can be improved by running the ob- 
server along with the nominal system prior to the detection of any faults. However, 
all solutions to Problems I3.3H3.5I provided in this monograph are valid whether or 
not the guessed initial condition is accurate, because none of the fault-hiding goals 
requires the knowledge of the plant initial condition, but only that if it was known, 
a matching initial condition for the reconfiguration block can be found. 

Example 3.3 (Nonlinear virtual sensor and nonlinear virtual actuator for the 
ship). Consider the ship model ( l7.7D - d77?l ). The failure f\ of the gyro sensor modifies 
the model to the faulty ship output equations ( I3.77I )-( D.73D , and the blockage fi of 
the rudder uj, at the position 0.1 modifies the model to 1?.74D -( B.771 ), where /? = 0.1. 
All true input and output variables for the faulty ship are denoted by subscript f. A 
nonlinear virtual sensor for the ship subject to the faults f\,fi has the form 

kt) = i^mHt)- 1^(0 + ^ r («/,i(0 + «/,2«) + h (y(f)-y f (t)) 

Mt) = -^0)m-^w(t) + h(y(t)-y f (t)) 

Ht) = !!h ^m^(t)-^m+^{j(ufAt)-u fa (t) + 0A)) + h(y(t)-y f (t)) 

kt) =m + h(y(t)-y f (t)) 

y f (t) =(v(t)0 0kt)) T 

(3.37) 

where the rudder input ut, has been replaced by the constant 0. 1, and where the gain 



L = 



h 
h 



must stabilise the observation error. The model parameter M/3 = 0.1 and the out- 
put matrix must be provided by a fault diagnosis component. A nonlinear virtual 
actuator for the ship subject to the faults f\,f2 has the form 
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where the gains M and N must be chosen such that the difference system is 
stabilised. Furthermore, the tracking recovery is highly important especially for 
the heading variable \p, since accurate steering is needed for safe collision and 
obstacle-avoidance maneuvers. 

The control commands u c ,i, U c ,2, U c ,3 that are issued by a helmsman or an au- 
topilot are translated into the control inputs Uf t \, w/,2, «/,3 that act on the ship. The 
fault-hiding concept has the advantage that the reconfiguration block (Es,^a) is 
useful both for ships under manual control and for ships under autopilot control. 
Under manual control, the crew at the helm is relieved from the need to learn how 
to deal with the faulty ship, since the virtual actuator and virtual sensor take care 
of that task. 



3.9 General Properties of Fault-Hiding Solutions 

Although special cases of the general nonlinear problem will be solved in Parts II 
and III, it is instructive to also study the following general properties of the adopted 
realisation of the reconfiguration block. It will turn out that the fault-hiding goals 
are always satisfied as a direct consequence of the chosen structure of the reconfig- 
uration block decomposed into a virtual sensor and a virtual actuator. Furthermore, 
the following analysis reveals how the main reconfiguration problems regarding sta- 
bility, tracking, and performance recovery objectives are reformulated. The new for- 
mulation points towards solution strategies that will be followed in this monograph. 
The important properties are deduced by calculating the dynamics of the recon- 
figured plant Z/y = (Zpf,Zs >Ea)- These dynamics are originally formulated in terms 
of the state variables x, Xf, and Xf. Introducing the observation error 



e(f) = x f (t)-Xf(f), 



(3.39) 



the original state variables are expressed in new variables x, e, and xa that are linked 
to the original variables by the linear transformation 



'r 




'10 0' 
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The observation error dynamics is governed by the equation 

e(t) = f/(x(t) - x A (t), Mx A (t) + Nu c (i), 0) - Lh f (x(t) - x A (t)) 

- [f f (x(t) - x A (t) - e(t), Mx A (t) + Nu c (t), d(t)) (3.40) 

-Lhf(x(t)-x A (t)-e(t))], 

with the initial condition e(0) = x/o - xq, which is obtained from the definition (13.39b 
of the observation error and from the definition ( 13.33b of the nonlinear virtual sensor. 
The dynamics of the difference system (13.35b is governed by the equation 

x A (t) =f(x(t),u c (t),0)-ff(x(t)-x A (t),Mx A (t) + Nu c (t),0) 
+Lh f (x(t) - x A {t)) - Lhf{x{t) - x A (t) - e(tj), 

with the initial condition x A (0) = 0, which is obtained from the definition (13.35b of 
the difference state and from the definition d3.34b of the nonlinear virtual actuator, 
and their initial conditions. 

The combined dynamics (13.40b , ( 13.41b together with the reference model in the 
virtual actuator ( 13.34b provide a transformed representation of the dynamics of the 
reconfigured plant ( 13.25b . It is immediate from the virtual actuator definition (13.34b 
and from Fig. l3.10l that the plant behavior seen through the input u c and the output y c 
is nominal for zero disturbance. In other words, the state Jc is governed by the same 
dynamics as the nominal system state x(t). Therefore, at least the weak fault-hiding 
goal is satisfied by the adopted approach for any matrix gains L, M , N. The fault- 
hiding property follows, therefore, by construction from the chosen reconfiguration 
block structure. Stronger fault-hiding properties depend on additional properties of 
the reconfigured plant, which must be achieved by means of appropriate synthesis 
of the matrix gains L, M, N. 

Furthermore, considering the reconfigured closed-loop system, the equations 
( 13.40b and (13.41b together with the nominal controller (13.5b have a special structure 
that is illustrated in Fig. 13. Ill Namely, the overall reconfigured closed-loop system 
has been transformed into the cascade interconnection of two feedback systems: 

• the nominal closed-loop dynamics {Eq< %p) ( ie ft dashed box in Fig. 13.11k ISS 
by assumption, and 

• the feedback interconnection of the observation error dynamics defined in Equa- 
tion ( 13.401 ) and denoted by E e and the difference system dynamics defined in 
Equation ( 13.411 ) and denoted by E A (right dashed box in Fig. 13. lib . 

The two subsystems are connected through the coupling variables u c and Jc. The 
reference r and the disturbance d are external inputs. 

Recall that the cascade connection of two ISS systems has the ISS property (Prop- 
ertv l2.ll ). This observation has the following consequences, which well characterise 
the remaining tasks for the following chapters concerning the stability recovery 
(Probleml331l. 

1. The cascade connection provides a nonlinear separation property regarding the 
ISS of the reconfigured closed-loop dynamics. Namely, the ISS property of the 
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Fig. 3.11 The transformed structure of the reconfigured closed-loop system. 



reconfigured closed-loop system follows if the nominal closed-loop system is 
ISS (Assumption l3.lt . and if the interconnection (E e ,Ej) of introduced dynam- 
ics is ISS. 

The stability properties of the interconnection (E e ,E/i) are independent of the 
nominal controller Ec, as the inspection of Equations ( 13.40b and 0.411 ) shows. 
The synthesis of the reconfiguration block amounts to finding the observer gain 
L and the virtual actuator gains M and N. Due to aspect 2, the synthesis depends 
only on the models of the nominal and faulty plants. 



In other words, solving Problem D . 3 I reduces to stabilising the feedback interconnec- 
tion (E e ,Ej). Finding stabilising gains L, M, and N and thus shaping the dynamics 
of (E e ,Ej) will be one of the central aspects of the chapters to follow. Assump- 
tions about nominal closed-loop stability similar to Assumption l3 . 1 1 will be standing 
assumptions in later chapters. 

Other important questions concern the recovery of the nominal tracking (Prob- 
Iem l3.4l > and performance (Problem l3.5t properties by the reconfigured closed-loop 
system. The tracking error denned in Equation ( 13.81 ) for the nominal closed-loop 
system El is obtained as follows 

e z (t) = r(f) - z(t) = lit) - h z (x(t)), 

whereas the tracking error of the reconfigured closed-loop system Elfh is defined 

as 



*tf(t) - K») - z/(t) = iif) - h z (x f (t)) 
= r(t)-h z (x(t)-x A (t)-e(t)). 

Note that the state Jc is governed by the same dynamics as the nominal system state 
x(t) except for the disturbance, which vanishes, and that Assumption 13 . 1 1 holds for 
arbitrary initial conditions. It follows that lim,^^ r(t) - h z (x(t)) - 0. Therefore, the 
asymptotic setpoint tracking properties are recovered if and only if 



\im(xA(t) + e(i)) = 



and thus 



)im(e z (i)-e Zf (t)) = 0. 
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Fig. 3.12 Reconfigurable control viewed as disturbance decoupling and output regulation 
problems. 



As the case of exactly cancelling nonzero solutions is unlikely, the goal consists in 
independently regulating X/i(t) and e(t) to the origin. 



Lemma 3.1. Problem \3.4\ is solved, i.e. the nominal asymptotic closed-loop tracking 
properties are recovered by the reconfigured closed-loop system, if Vr(f) = fp(i) 
(f e RP), d(t) = dp(t) (d e R k ) and Vx , * c0 , ft 



\im X/i(t) = 

t— >co 

lim e(t) = 0. 



(3.42) 
(3.43) 



Lemma 3.2. Problem \3.5\ is solved, i.e. the nominal tracking and performance prop- 
erties are exactly recovered, ifVd(t),r(t) andVxo, jc c o, ft 



V/6R+: XA(i) + e(t) = 0. 



(3.44) 



The basic structure ( 13.33b . ( 13.341 ) of the reconfiguration block ( 13. 2\\ is the basis for 
the reconfiguration solutions for linear systems, Hammerstein- Wiener systems, and 
piecewise affine systems. It will be modified and extended as necessary to accom- 
modate the presence of disturbances and to recover the nominal tracking and perfor- 
mance properties in spite of disturbances by the reconfigured closed-loop system. 
However, the extensions always fit into the presented framework. 
In other words, 

1. the asymptotic setpoint tracking recovery Problem [3.41 reduces to ensuring that 
Equations ( 13.421 ) and ( 13.431 ) are satisfied, and 

2. the exact performance recovery Problem 13.51 reduces to ensuring that Equa- 
tion (13.44b is satisfied. 



The tracking recovery problem described in Equations ( 13.421 ) and ( 13.431 ) can be inter- 
preted as an output regulation problem with the output xj+e (Fig. 13.121 . The exact 
performance recovery described in Equation 0.441 ) can be interpreted as a distur- 
bance decoupling problem with the input (r T ,d T ) T and the output xa +e. Solutions 
to the general nonlinear output regulation problem and the general nonlinear distur- 
bance decoupling problem are stated in 118411 and IU42I1 . respectively (see also J143I1 ). 
The general solutions to the nonlinear disturbance decoupling and output regulation 
problems are, however, highly complex since they require symbolic computation, 
and they are therefore not well-suited for the automatic online control synthesis, 
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which is a requirement in this monograph. Here, special solutions are developed 
that are well-suited for autonomous implementation. 

Finally, the question arises whether the fault-hiding approachZ*o = {Zr,Zc) neg- 
atively affects the solvability of the reconfiguration problem when compared to the 
general problem of finding an arbitrary reconfigured controller Zq . 

Definition 3.11 (Universality of reconfiguration blocks). The fault-hiding ap- 
proach with reconfiguration block Er to control reconfiguration is called universal if 
the solvability of Problem l3 . 1 1 (Problem [3^2t implies the solvability of Problem 13 .31 
(Problem[33J. 

By definition, universality is defined with respect to particular control reconfigura- 
tion problems. In addition, certain universality properties will be stated with respect 
to particular structures of the reconfigured controller Ecr, and they will be given dis- 
tinct names. More precise definitions for universality are given below when needed. 
The following chapter recalls linear solutions to the problems stated in this chap- 
ter. In the linear case, the fault-hiding approach provides a reconfiguration solution 
whenever it exists. In other words, the fault-hiding approach is universal for linear 
systems combined with linear control schemes. The further chapters will generalise 
the fault-hiding solutions from linear systems to two special classes of nonlinear dy- 
namical systems: Hammerstein- Wiener systems and piecewise affine systems. The 
universality of the fault-hiding approach carries over to the case of Hammerstein- 
Wiener systems for the cases of exclusive actuator faults and exclusive sensor faults. 
The idea of virtual sensors ( 13.91 ) and virtual actuators ( 13.101 ) shown in Fig. l3.10l will 
be extended by feedthrough of the measured output yf to the nominal controller in 
Part III, without changing the the basic idea and the basic properties described in 
simpler form in this chapter. However, the added feedthrough introduces additional 
feedback loops into the Figures [3.11l and [3.12l 



Chapter 4 

Linear Reconfiguration Solutions Based on the 

Fault-Hiding Approach 



Abstract. This chapter presents linear solutions to the reconfiguration problems de- 
fined in Chapter[3]based on the fault-hiding principle. First, nominal linear systems 
are defined, some of their basic properties are reviewed, and the nominal closed- 
loop system is defined. It is shown how faults are modelled in linear systems. The 
linear virtual sensor and the linear virtual actuator are defined, and it is described 
how they must be designed such that the previously defined reconfiguration goals 
are satisfied. The solution procedures for obtaining the suitable parameters in the 
reconfiguration blocks are sketched. 



4.1 Nominal Linear Systems 

Linear systems are viewed as the simplest dynamical approximation of nonlinear 
systems. They are defined as follows. 

Definition 4.1 (Linear dynamical system J117L luill ). A linear time-invariant 
(LTI) dynamical system is a system of linear first-order ODEs 

x(t) - Ax(t) + Bu c (t) + B d d(t) 

y(t) =Cx(t) (4.1) 

z(t) =C z x{t) 



where all signals are in accordance with Definition 13 .21 and where A is the system 
matrix, B is the input matrix, Bd the disturbance input matrix, C is the measure- 
ment matrix, and C z is the relevant output matrix. All matrices are of compatible 
dimensions, and 

x(0) = xo (4.2) 

is the initial condition. o 
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Fig. 4.1 Linear dynamical system. 



A linear system (Fig. 14.1b is the simplest dynamical approximation of the non- 
linear system ( 13.2b that is obtained by linearisation about an operating point 
(x ,d ,u o ,y o ,z ): 



A = —{x,u c ,d) 

ox 



OX 



x=x M c =u ,d=d 



B - - — (x,u c ,d) 
ou c 

C Z = f%) 

OX 



x=x ,u c =u M=d 



(4.3) 



(4.4) 



Property 4.1 (Stability, ISS, and convergence of linear systems). The LTI sys- 
tem ( 14.71 ) is 0-GES iff there exist solutions X = X T >0 and Y - Y T > of the LMI 



XA + A 1 X+Y<0. 



(4.5) 



Furthermore, the system ( I4.il ) is ISS w.r.t. the input (u c ,d) and globally exponen- 
tially convergent. 

The inequality (14.5b is well-known as the Lyapunov inequality. The convergence 
property follows immediately from Theorem l2.4l 

The //oo-norm of a linear system has the following alternative characterisations 
that will be used in this monograph. 

Theorem 4.1 (Characterisation of //oo-norm ll29Lll87U21lll ). Consider the linear 
dynamical system with throughput 



(4.6) 



(4.7) 



\x(i) = Ax(t) + Bu c {t) 
' \y{t) = Cx(t) + Du c (t) 

and with the transfer function 

T Uc ^ y (s) = C(sI-AY l B + D, 

and let y > be a scalar. Then, 

\\Tu c ^y(s)\\H m = SUp p. max (T Uc _>,(*)), 

,seC+ 

where p max (-) is the largest singular value of its argument, and furthermore the 
following statements are equivalent: 
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l.\\T Uc ^y(s)\\ Hm <y. 

2. There exists a feasible solution X ■■ 



X T > to the LMI 
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The linear system d4.lt is called stabilisable if the pair (A,B) is stabilisable. Like- 
wise, it is called detectable if the pair (C, A) is detectable. 

Example 4.1 (Linearised model of a ship). The linearisation of the ship 
model ( li.7D -( T77?l ). stated here for later use about the operating point x — (0. 1 0) T 
corresponding to slow surge velocity, and ignoring input saturations, leads to a lin- 
ear model of the form ( 14.71 ) with the model elements 



r-o.2105 o o cn 
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-0.3857 -0.2381 
10 
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1 000 
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(4.8) 



(4.9) 



The system is completely controllable from the input u c and completely observ- 
able from the measurement y . The matrix A has the set of real eigenvalues cr(A) — 
{—0.115, —0.4072, -0.2105, 0). The eigenvalue at zero corresponds to the integrator 
dynamics from yaw velocity r to heading ip. The upper left triangular block corre- 
sponding to the variables v, w, r is asymptotically stable. The Hoa- gains of the trans- 
fer functions from all inputs to each separate output of the subsystem (v,w, f) are 
calculated to be \\Tu c ^ v (s)\\H m =0.35, \\T Uc ^ w (s)\\ Hlx , =0.28, and\\T Uc ^ r (s)\\H m = 1.46. 

Note that in the nonlinear model ( I7.7D -( T77?1 ), the surge, sway and yaw velocities 
(see Fig. 17.61 ) are completely coupled by bilinear feedback-interconnections. In the 
linearisation, the surge velocity v is not influenced by the sway and yaw velocities w 
and r, which are driven by the velocity in cascade interconnection. The linearised 
model thus neglects the influence of sway and yaw motions on the surge velocity. 

To compare the linearised model to the nonlinear model, their solutions corre- 
sponding to the initial surge velocity v(0) = 2, initial sway velocity w(0) = 0.1, and 
initial yaw velocity r(0) = -0.79 are shown in Fig. \4.2\ The figure clearly shows 
the shortcomings of the linear model: the oscillations that appear in the nonlinear 
model due to the bilinear coupling do not show up in the linear model. Fig. \4.3\ com- 
pares the resulting ship positions and headings in the earth-fixed reference frame 
(x,y) starting from the initial position (x(0),y(0)) T = (0,0)^ and the initial head- 
ing 22.5°. The heading is symbolised by an oriented triangular ship symbol shown 
every 5 seconds. The figure emphasises that the ship modelled by the nonlinear dy- 
namics rotates by nearly n rad about the yaw axis while slowing down, whereas the 
linearised ship slows down with significantly less rotations. Furthermore, the surge 
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Fig. 4.2 Comparison of ship responses obtained with nonlinear and linear models in terms 
of the surge, sway, and yaw velocities. 
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Fig. 4.3 Comparison of ship responses obtained with nonlinear and linear models in absolute 
coordinates. 



velocity damping rate is too small, therefore slowing down the ship surge velocity 
takes longer in the linear ship model than in the nonlinear ship model (see Fig. \4.2\ , 
and the linear ship model covers a longer distance than the nonlinear ship model 
when started from the same initial condition. 
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Finally, it is interesting that for large surge velocities the linearised system is 
unstable, namely it has an eigenvalue in the right half-plane, in spite of the fact that 
the physical system and its nonlinear model are globally asymptotically stable in 
the variables v, w, and r for zero input. 

4.2 Nominal Closed-Loop System and Assumption 

Consider the linear nominal controller 2*c for the nominal linear plant (14. lb . 

z (x c (t) =A c x c (t) + B c y(t) + E c r(t) 
C ■ \u c (t) = C c x c it) + D c y(t) + F c r{t) 

X c (0) = XcQ 

with the internal state x c (t) e R" c and the reference input r{t) e W . The nominal 
linear plant ( 14.1b together with the nominal linear controller ( 14.10b give rise to the 
nominal linear closed-loop system (£p,£c) that satisfies the following assumption. 

Assumption 4.1 (Stabilising and setpoint tracking nominal control). The nomi- 
nal closed-loop system Ei — (Ep,Ec) formed by the nominal linear plant ( I4.il ) and 
the nominal linear controller ( 14.701 ) is internally stable. Furthermore, the tracking 
error 

e z (t)±r(t)-z(t) (4.11) 

satisfies certain desirable steady-state tracking and performance properties for ar- 
bitrary initial conditions JCo and x c -q. 

4.3 Faults in Linear Systems 

In this section, faults are introduced into the linear system model (14.1b . 

Definition 4.2 (Actuator faults in linear systems). An actuator fault in a linear 
system is an event occurring at time tf that changes the nominal input matrix B e 
W xm to the faulty input matrix Bf e R" xm of the same dimensions. o 

Definition 4.3 (Sensor faults in linear systems). A sensor fault in a linear system is 
an event occurring at time tf that changes the nominal measurement matrix C € R' lX " 
to the faulty measurement matrix C/ e R ?x " of the same dimensions. o 

The above fault definitions include partial component degradation and complete 
failures, and a single fault may affect more than one component. As an example, an 
actuator degradation might be modeled by scaling the corresponding input matrix 
column by factors or/, whereas a complete single actuator failure requires setting the 
respective column to zero. The same approach works for sensor faults in a similar 
way: 
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Bf -\a\b\ ... a,„b m j, 
'Pxc x \ 

fiq c q) 



a, € [0,1], ;' € {l,...,m} 
Pie[0,l],ie{l,...,q}. 



(4.12) 
(4.13) 



In addition to these special cases, the fault definitions 14.21 and 14.31 cover arbitrary 
changes in the input and measurement matrices. The fault event abruptly changes 
the nominal system d4.lt to the faulty linear system 



Zpf. { 



x f (t) = Ax f{t) + BfUfit) + B d d(t) 
y f {t) =C fXf (t) 
Zfit) =C z x f (t) 
Xf(0) = x . 



(4.14) 



Up to this point, that fault model can express actuator blockages in so far as they 
occur at the linearisation point. However, blockage at other points than the operating 
point may be modelled as disturbances as follows. Let Uj, j e 3i, ttc \\,...,m} 
denote blockage positions of a set of actuators described by an index set J[. Indeed, 
the set J{. is a proper subset of the set of all actuators, since the failure of all actuators 
would result in an autonomous faulty system that cannot be controlled. Thus, the 
actuator blockage gives rise to the faulty system model 



Xf(t) = Ax f{t) + BfUf(t) + B d d(t) + ^] bjUj, 

Jen 



(4.15) 



where Bf is according to Equation (14.121 with aj - for j e Si. In other words, 
actuators blocked outside the operating point of linearisation act like constant dis- 
turbances, whose structure is defined by the corresponding columns of B. Strictly 
speaking, the faulty system with constant disturbance input is an affine system. 
Table 14. ll summarises the expressiveness of the linear fault model. 



Table 4.1 Technological faults representable by linear fault models. 



Technological fault 


Representable 


By model parameter 


Changed actuator gain 


/ 




Bf 


Changed nonlinear actuator characteristic 


X 






Changed or reduced actuation range 


X 






Actuator failure at the operating point 


/ 




Bf 


Actuator failure off the operating point 


(•) 


2;&7I 


bjUj (affine) 


Changed sensor gain 


y 




Cf 


Changed nonlinear sensor characteristic 


X 






Sensor failure 


y 




Cj 



Legend: /: fully representable; (/): representable leaving the system class; x: not 
representable 



4.4 Reconfiguration Problems 
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Example 4.2 (Linear model of ship subject to faults). In the linearised ship 
model ( l4.<SD - d479l ), faults are introduced as follows. The failure of the yaw rate gyro 
sensor, fault f\, is modelled by means of a modified output matrix 



C f = 



(1 

0000 
000 1) 



(4.16) 



meaning that the gyro sensor outputs the value zero after its failure. The matrix C z 
remains unchanged. 

A blockage of the rudder ut, in some blockage position pe[—l, 1] between max- 
imum clockwise rudder moment and maximum counter-clockwise rudder moment, 
corresponding to the fault fi, is modelled by a modified input matrix 



Bf = 



/U0526 0.0526 0^ 


0.0238 -0.0238 
0J 



(4.17) 



whose third column corresponds to the failed rudder, as well as a constant distur- 
bance 



(4.18) 



( ° ) 





0.2381 


, J 



The entire faulty system is described by the equations 

Xf(t) - Ax/(t) + BfUf(t) + dfp + B d d(t) 
y f (t) = CfXf(t) 
z f (t) = C z x f (t). 



(4.19) 



The fault fi meaning a floating rudder is obtained by the special case p — 0. The 
reduced thruster range f\ is not representable within the linear model framework. 



4.4 Reconfiguration Problems 

The reconfiguration block (13. 2U is now a linear system 

at) =A r at) + B r u c (t) + E r y f (t) 
ZR:<ydt) =C r at) + F r y f (t) 
u f (t) =G r at) + H r u c (t), 

<r(o)=<ro 



(4.20) 
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that, together with the linear faulty plant (14.14b and the linear nominal controller 
( 14.10b . forms the reconfigured closed-loop system (Epf,Ep,Ec). The reconfigura- 
tion problems 13. 31 13. 41 and [33] stated in Chapter [3] are now specified for linear sys- 
tems, starting with stability. 

Problem 4.1 (Stability recovery for linear systems). Consider the nominal linear 
plant Ep defined in Equation d4.lt and the faulty linear plant Epf defined in Equa- 
tion d4.14l l. Find a linear reconfiguration block Ep of the form ( 14.20b such that 

V2c : \{Ep,Ec) internally stable) => {(Epf,Ep,Ec) internally stable). 

In other words, every controller that internally stabilises the nominal plant must also 
stabilise the reconfigured plant. 

Problem 4.2 (Stable asymptotic setpoint tracking recovery for linear systems). 

Consider the nominal linear plant Ep defined in Equation (14.1b and the faulty lin- 
ear plant Epf defined in Equation (14.14b . Find a reconfiguration block Ep of the 
form ( 14.20b such that for all nominal controllers Ec satisfying Assumption 14. II the 
reconfigured closed-loop system is internally stable, and 

Vr(?) = f P (t\d(t) = dp(t),x ,x c0 ,€o ■ lim (z(t) - z f (tj) = 0. (4.21) 

In other words, the reconfigured closed-loop system should asymptotically track 
constant setpoints to the same precision as the nominal closed-loop system. 

Problem 4.3 (Exact stable performance recovery for linear systems). Consider 
the nominal plant Ep defined in Equation d4.1b and the faulty plant Epf defined in 
Equation ( 14.14b . Find a reconfiguration block Ep of the form ( 14.20b with the initial 
condition £o such that for all nominal controllers Ec satisfying Assumption l4.ll the 
reconfigured closed-loop system is stable, and 

V? > 0, Vr(f),rf(0,*o,*c0,& : z(t)-z/(i) = 0. (4.22) 

In other words, for arbitrary reference and disturbance inputs, the reconfigured 
closed-loop system should respond with exactly the nominal output. This goal is 
frequently not achievable. The following problem consists in approximating the ex- 
act recovery. 

Problem 4.4 (Almost exact stable performance recovery for linear systems). 

Consider the nominal plant Ep defined in Equation d4.1b and the faulty plant Epf 
defined in Equation ( 14. 14b . Given a bound y e (0,oo] on performance loss, find a 
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reconfiguration block Er of the form (14.201 1 such that for all nominal controllers Eq 
satisfying Assumption l4.ll the reconfigured closed-loop system is stable, and 

>. ,. , llz(0-z/(f)llx 2 ,,„„. 

Vu c (t),x ,Xco,€o ■ „ ,... < r- (4.23) 

ll»c(0ILc 2 

The latter problem is solvable if the inequality (14.23b is satisfyable for every y. The 
following problem demands a compromise between best-possible output recovery 
and moderate input power amplification. 

Problem 4.5 (Optimal stable performance recovery for linear systems). Con- 
sider the nominal plant Ep defined in Equation ( 14.11 ) and the faulty plant Epf defined 
in Equation d4.14l l. Find an optimal reconfiguration block Er* that, for all nominal 
controllers Ec satisfying Assumption l4.ll attains a tradeoff Ay- + (1 - A)y u parame- 
terized over A e [0, 1] between 

1. Optimal approximation of the closed-loop output trajectory in the sense that if 
z*f is the output obtained with Er* and Zf is the output obtained with any other 
reconfiguration block Er, then 

Hz(0-z)(Q[lx 2 J\z(t)-z f {t)U 2 
ll«c(f)llx 2 IIh c (0IIx 2 

holds, and 

2. Minimum amplification of the input signal in the sense that if u* f is the control 
input obtained with Er* and Uf is the control input obtained with any other 
reconfiguration block Er, then 

w r, , , H"}«HX2 ||«/»IIX 2 ,._„ 

VB c (*),*o,*eO,& : 1 < y« = ,, , A |, < ,, , A |, ■ (4.25) 

ll"c(0ILc 2 ll«c(0llx 2 



Note that Problem 14.51 reduces to Problem 14.31 whenever the latter is solvable, if 
total weight is put on output trajectory recovery and zero weight is put on input 
amplification. Solutions to these problems are next stated separately for the cases of 
sensor faults and actuator faults. 



4.5 Linear Virtual Sensor 

For the problems with sensor faults (Bf -B,Cf + C) in the linear faulty plant ( 14.14I ). 
the reconfiguration block Er defined in Equation d3.21l l is realised by means of 
a virtual sensor E$ (Fig. 14.41 ). which contains an observer for the linear faulty 
plant (14.14b . 



64 



4 Linear Reconfiguration Solutions Based on the Fault-Hiding Approach 



Definition 4.4 (Linear virtual sensor 12021). The linear virtual 


sensor is the 


dynamical system 






x f (t) = A s xf{t) + Bu f (t) + Ly f (t) 




Zs:< 


Uf(t) =u c (t) 

y c (t) =Py f (t) + Csx f (t) 


(4.26) 


with the initial condition x/(0) = Xfo, and where 




As^A-LCf 


(4.27) 


Cs^C-PCf 


(4.28) 


and Xf(t) e R" hold. 






•O— ■ 



Faulty 
system J2,. f 



I 



* — » 



Virtual 
sensor J2 S 



Nominal controller 2u c 



a 



r\ » r > 


, Xj . c 






A — 





\J 



Fig. 4.4 Reconfigurable control after sensor faults by means of linear virtual sensor. 



Note that the linear virtual sensor is a reconfiguration block in accordance with 
Definition [33] that satisfies the inactivity conditions for P = I. 

The linear reconfigured closed-loop system (Spf,Zs,^c) 1S given by the equa- 
tions (14.14b . (14.26b . and ( 14.10b . For a better understanding of the following syn- 
thesis procedures, it is instructive to study the dynamics of the observation error 
e(t) = Xf(t) - Xf(t) and its impact on the output y c provided to the controller, 



m 


= A s e(t) - B d d(t) 


ys(f) 


= C 6 e{t) 


y c (t) 


= Cx f (t)+y 6 (t). 
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(4.29) 



The equation shows that the observation error perturbs the true measurement Cx/ 
through the matrix C$. It is straightforward to verify that the Problems 14.21 to |431 
refer to the reconfigured plant transfer functions T Uc ^ z As), T d ^ Zf (s), T Uc - >yc (s), 
and Td^y c (s). The first three transfer functions are always nominal in the case of 
sensor faults, namely 



T Uc ^ Zf (s) = C z (sl- A) l B = T Uc ^ z {s) 
T d ^ Zf (s) = C z (sI-Ay l B d = T d ^ z (s) 
T Uc ^ yc {s) = C(sI-A) l B = T Uc ^ y (s). 

The transfer function from the disturbance d to the output y c is given by 



T d ^ yc (s) = C(sl - AY 1 B d + C s (sl - A s y x B d 
= T d ^ y (s) + C s (sI-A 6 Y l B d , 

where the transfer function 

T d ^ y6 ( S )±Cs(sI-A s T l B d (4.30) 

represents the effect of the sensor fault visible at the output. Based on Assump- 
tion [4J] the following results about the properties of the reconfigured closed-loop 
system have been obtained. 



Theorem 4.2 (Reconfigured closed-loop stability recovery |202]). Consider the 
nominal linear plant ( 14.71 ) and the faulty linear plant ( 14.741 ) with Bf — B, and sup- 
pose that Assumution \4J\ holds. Problem \4.1\ is solvable by means of a virtual sen- 
sor \4.26\ if and only if 

(Cf, A) is detectable. (4.31) 

The reconfigured closed-loop system A4.14\) , ( 14.701 ). ( 14.261 ) is stable ifcr(Ag) c C_. 

In other words, given nominal closed-loop stability, the reconfigured closed-loop 
stability depends only on the stability of the error dynamics of the virtual sensor. The 
latter is determined by the existence of a matrix L such that the matrix Ag = A - LCf 
is Hurwitz. Finding a stabilising solution L is a linear observer design problem , 
which, using duality, is solvable by means of pole -plac ement algorithms lll83Ll226fl 
or linear quadratic optimal control algorithms J9q , Ill7ll . 



Theorem 4.3 (Reconfigured closed-loop tracking recovery |202]). Consider the 
nominal linear plant ( 14.71 ) and the faulty linear plant \4.14\ with Bf — B, and sup- 
pose that Assumption \4.1\ holds. Problem \4.2\ is solvable by means of a virtual 
sensor \4.26\ in the presence of constant disturbances if and only if Condition ( 14. il\ 
holds and 



(A 


BA 


Cf 





\c 


oj 
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rankj^ B q\- 

Given a stabilising gain L, the gain P must be chosen according to 

P = C(A- LC f ) l B d (C f (A - LC f r l B d f . 

In other words, the output error of the observer is statically decoupled from constant 
disturbances d by placing a transmission zero in the transfer function Td-> ys (s) = 
Cg(sl- As)~ l Bd at the frequency zero: Td^y 6 (0) = 0. 

Theorem 4.4 (Exact closed-loop performance recovery Il8()ll ). Consider the no- 
minal linear plant ( 14.71 ) and the faulty linear plant (14.14[ with Bf — B, and sup- 
pose that Assumption \4.1\ holds. Problem 14. Jl is solvable by means of a virtual 
sensor A4.26J if and only if the infimal detectability subspace <S* (imB,/) satisfies 
the condition 

{5*(imB rf )nkerC/CkerC} A {(C/, A) is detectable}. (4.33) 

In other words, the disturbance d is dynamically decoupled from the observer 
output error yg by means of disturbance localisation into a conditioned-invariant 
detectability subspace S* that is not visible at yg. The transfer function T<i^y d (s) 
vanishes, namely Td^ ys (s) - 0. The numerically robust computation of gains L and 
P that s olve Problem 14.31 provided that Condition ( 14.331 1 is satisfied, are described 
in lfT80h. 



Theorem 4.5 (Almost exact closed-loop performance recovery 1 180]). Consider 
the nominal linear plant ( 14.71 ) and the faulty linear plant \4.14\ with Bf — B, and 
suppose that Assumption \4.1\ holds. Problem \4.4\ is solvable by means of a virtual 
sensor A4.26J if and only if the infimal almost detectability subspace St {imBd) 
satisfies the condition 

{.S£ (im5 d )nkerC/CkerC} A {(C f , A) is detectable). (4.34) 

The following theorem shows that the choice of the fault-hiding principle with vir- 
tual sensors is not restrictive for the solvability of the reconfiguration problem. 



Theorem 4.6 (Universality of virtual sensors [180]). If Problem \3.2\ is solvable 
for sensor faults in an exact sense (in an almost sense), then a solution based on the 
asymptotic fault-hiding goal and the virtual sensor \4.26\ exists in an exact sense 
(in an almost sense). 

Proof. See Appendix iDl page !257l 

Since Condition ( 14.551 ) is frequently not satisfied, a solution to Problem 14.51 is also 
given that aims at minimising the gain from d to y § in the sense X.2 — > -Ci, which is 



4.5 Linear Virtual Sensor 



67 



given by the Z/oo-norm of the transfer function ( 14.301 1. Furthermore, the presence of 
measurement noise n is taken into account, modeled by the modified output equation 

y f (t) = CfXf(t) + nit). 

The noise signals acts uniformly on all components of the measurement vector. The 
measurement noise has an influence on the output perturbation y$ that is charac- 
terised by the transfer function 



T^jM = Cs(sI-A s T i L + P. 



(4.35) 



Theorem 4.7 (Optimal closed-loop performance recovery). Consider the nomi- 
nal linear plant H4.H and the faulty linear plant A4.14\l with Bf — B, and suppose 
that Assumption \4~l\ holds. Problem \4.5\ is solvable by means of a linear virtual sen- 
sor \4.26\ if and only if there exist feasible solutions X s 6 R" x ", Y s e It"* 9 , P e R qXq , 
jd 6 H, and y„ eR to the convex optimisation problem 



min Ay c i + (1 - A)y n for given Ae [0, 1] 



(4.36) 



subject to 



(A T X S + X S A - C T f Y T s - Y s C f 


X s B d 


iC-PCf) T ) 


■k 


-Jdl 





\ * 


• 


-Jdl ) 



(A T X S + X S A - C T f Yj - Y s C f 


Y s 


iC-PC f ) T \ 


•k 


~Jnl 


p< 


{ * 


• 


-Jul ) 



<0 



<0 



X s = X l s > 0, y d > 0, r « > o 
The linear virtual sensor gain L is obtained from the equation 

L = X~ l Y s , 



(4.37) 

(4.38) 
(4.39) 

(4.40) 



whereas the gain P is directly obtained from the solution of the LMIs i\4.37\) , H4.38\l . 



Proof. By means of elementary operations, the transfer function ( 14.301 ) is obtained 
as a description Td->y s is) of the influence of the disturbance on the output obser- 
vation error. Likewise, the transfer function (14.35b is a description T n ^, ys is) of the 
influence of the disturbance on the output observation error. Using Theorem l4. ll with 
the substitutions A — > Ag, B — > Bj, C — > C$, and D — > implies that the relation 
WTd^y^s^Hc < yd holds if and only if the bilinear matrix inequality 



aA~LC f ) T X sd + X sd (A-LCf) 


X s dB d 


iC-PC f ) T \ 


• 


-Jdl 





I * 


• 


-Jdl ) 



< o, x sd 



x li>0 
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(A T X sd + X sd A - C T f Y T sd - Y sd C f 


XsdBd 


(C-PC f ) T ) 


• 


-yd 





I * 


• 


-Jdl ) 



is feasible, which after the substitution Y sd = X sd L is equivalent to the LMI 



< 0, X sd = X' sd > 0. 



Likewise, the application of the the substitutions A — > Ag, B — > L, C — » C^, and 
Z) — » P implies that the relation ||7' n ^ 3 , c5 (s)||// aj < y„ holds if and only if the bilinear 
matrix inequality 



< 0, X s „ = XL > 



is feasible, which after the substitution Y m = X sn L is equivalent to the LMI 



< 0, X xn = Z „ > 0. 



An optimal compromise is obtained by minimising the objective function Xy d + (1 — 
/i)y„ over the feasible solutions of both LMIs. Observing that the recovery of the 
observer gain L - X~J Y sd and L - X^ 1 Y sn must be consistent, the unification X s = 
X sd - Xsn and Y s = Y sd = Y sn results in the LMIs ( 14.37b . (14.38b . which completes 
the proof. ■ 



f(A-LCf) T X sn + X sn (A-LC f ) 


X S nL' 


{C-PCf) T \ 


• 


-Jnl 


P 


I * 


• 


-Jnl ) 



(A T Xsn+X s „A-C T f Y T m - 


- Y sn Cf 


* sn 


(C-PC f ) T ) 


• 


-Jnl 





I * 




• 


-Jnl ) 



The LMI ( 14.37b is an equivalent characterisation of the //co-norm of the transfer 
function (14.30b from d to yg, whereas the LMI (14.38b is an equivalent characterisa- 
tion of the //oo-norm of the transfer function ( 14.35b from n to yg. The compromise 
between the suppression of the disturbance influence and the suppression of mea- 
surement noise on the error of the reconstructed output is parameterised by means 
of the weight A e [0,1]. The multi-objective optimisation problem ( 14.36b gives rise 
to Pareto-optimal solutions, meaning that an improvement with respect to one of the 
goals cannot be attained without a drawback on the other goal. 

Example 4.3 (Linear virtual sensor for the ship). The linearised ship model with 
the parameters ( 14.81 ). ( 14.91 ) is now considered for a failure of the gyro sensor (f\). 
A reconfigurability analysis reveals which of the reconfiguration goals are achiev- 
able after the gyro failure. The pair (C/,A) remains observable, therefore also 
detectable, where Cf has been defined in Equation \4.16\ on page |67] Thus, 
Problem \4.1\ is solvable by Theorem \4.2\ 

The Condition A4.32\) for setpoint tracking recoverability evaluates to the ranks 



rank 



A B d 

C f 



6 = rank 



(A 


B d \ 


Cf 





\c 


oj 
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therefore setpoint tracking recovery in the presence of constant wind is solvable by 
Theorem \4.3\ This result coincides with the intuition that after a failed gyro, the 
influence of constant wind on the ship is visible in the remaining functional velocity 
and heading measurements. 

The relevant spaces in Condition ( 14.331 ) for exact performance recoverability are 



S* g (imB d ) = K 4 



kerC/ = span 



((°\ 


(°X\ 


1 








1 


lloj 


lojj 



kerC = span 



ffO\ 
1 


lloj 



It is easy to see that Condition ( 14.331) is not satisfied, therefore Theorem 14. 41 states 
that exact performance recovery in the presence of arbitrary wind is impossible. 
This result is also intuitively clear, since arbitrary time-varying two-dimensional 
wind has an immediate effect on the acceleration and yaw rate of the ship that 
becomes visible in the velocity and heading only after one integration. 

The solvability of optimal performance recovery according to Theorem \4.7\ is il- 
lustrated in Fig. 14.51 In the figure, the achievable compromise in terms ofjd,y n is 

shown for various Cf — (Cj fic^ C-A ,/3 = 0,0.2,0.4,0.6,0.8 and different compro- 
mise parameters A. The parameter lambda increases from zero (bottom right) to one 
(top left), as the arrow indicates. The figure shows that the estimation can be arbi- 
trarily well decoupled from the disturbance d at the cost of increased amplification 
of measurement noise. For complete sensor failure, the previous result of impossible 
exact recovery is expressed in the non-zero gain yd for /? = 0. 
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Fig. 4.5 Reconfigurability analysis for nonlinear ship subject to gyro sensor degradation of 
varying degree. Points in the lower left corner indicate best reconfigurabiliy, points in the 
upper right corner indicate worst reconfigurability. 
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The response of the nonlinear ship model subject to abrupt gyro sensor failure at 
tf — 20 s is shown in Fig. \4.6\ The controller was reconfigured by inserting a linear 
virtual sensor \4.26\ into the closed-loop system, which was designed for setpoint 
tracking recovery using Theorem \4.3\ The virtual sensor well recovers estimates for 
the yaw rate r as shown in Fig. \4.6\ where the actual signals are shown in solid and 
the estimates are dashed with dot markers. The initial estimation error visible in r 
quickly settles to zero, in spite of constant wind (a x ,a y ) — (0.01,0.01) in the global 
reference frame (x,y) that translates into the non-constant wind (a v ,a w ) in the local 
reference frame (v, w) that is shown in the bottom axis of Fig. \4.6\ The wind sets in 
at time t — 30 s, as the letter d in the top axis shows. 

Fis. 14. 7\ shows the motion of the ship with reconfigured controller, which is capa- 
ble of avoiding the obstacle and return to its old course due to the reconfiguration. 



Under certain conditions, the exact performance recovery problem after sensor 
faults can also be solved based on a simplification of the full dynamical linear virtual 
sensor (14.26b to a static virtual sensor 



y c (t) = Py f (t) 



(4.41) 
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Fig. 4.6 Response of nonlinear ship subject to gyro sensor failure and control reconfiguration. 
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Fig. 4.7 Motion of nonlinear ship subject to gyro sensor failure and control reconfiguration. 



that is placed between the measured output v/ of the faulty plant and the nominal 
controller. The recoverability of nominal closed-loop performance is characterised 
in terms of the Markov parameters by the following theorem, which uses the con- 
trollability matrices 



Sc = (B AB ... A n ~ l B) 
S c , d = (B d AB d ...A"- l B d ). 



(4.42) 
(4.43) 



Theorem 4.8 (Markov-parameter-based exact closed-loop performance recov- 
ery using static block IJ171II ). Consider the nominal linear plant ( I4.il ) and the faulty 
linear plant ( 14. 14\ with Bf — B, and suppose that Assumption \4~l\ holds. Problem \4.3\ 
is solvable by means of a static virtual sensor \4.41\ with respect to reference track- 
ing if and only if the condition 



rank(C/S c ) = rank! * c J 



is satisfied, where the corresponding gain is 

P = CS c (C f S c y 



(4.44) 



(4.45) 
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It is solvable with respect to disturbance rejection if and only if the condition 

mnk(C f S c ,d) = rankf^M (4.46) 

is satisfied, where the corresponding gain is 

P = CS c ,j(CfS c , d y. (4.47) 



Problem \4.3\ is solvable by means of a static virtual sensor \4.41\ with respect to 
both reference tracking and disturbance rejection if and only if the conditions \4.44\ 
and \4.46\ are satisfied at the same time. The corresponding gain is 



P = c(ScScj)(c f (s c Sc, d )) + . 



(4.48) 



4.6 Linear Virtual Actuator 



For the dual case of actuator faults (Bf + B,Cf- C) in the linear faulty plant d4. 14b . 
the reconfiguration block Er defined in Equation ( 13.21b is realised by means of a 
virtual actuator Ea which combines the reference model (13.36b and an open-loop 
observer for the faulty system in a single system. The nonlinear virtual actuator 
defined in Equation (13.341 1 becomes the linear virtual actuator (Fig. 14. 81 ). 



Definition 4.5 (Linear virtual actuator |202]). The linear virtual actuator is 


the dynamical system 




x A (f) = A A x A {t) + B A u c (t), x A (0) = 


%A '■ ' 


u f (t) =Mx A {t) + Nu c {t) (4.49) 




yM =y f (t) + Cx A (t) 


where 


A A ±A- B f M (4.50) 


B A ±B-B f N (4.51) 


and ^(0 £ 1" holds. o 



Note that the linear virtual actuator is a reconfiguration block in accordance with 
Definition l3.5l that satisfies the inactivity conditions for M — and N - I. Indeed, it 
is the dual system of the linear virtual sensor. 

The linear reconfigured closed-loop system (Zpf,EA,Ec) is given by the equa- 
tions ( 14.14b . (14.49b . and ( 14.10b . It is straightforward to verify that the Prob- 
lems l4.2l to l4.5l refer to the reconfigured plant transfer functions T Uc ^ Zf (s), Td-, Zf (s), 
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Fig. 4.8 Reconfigurable control after actuator faults by means of linear virtual actuator. 



T Uc ->y c (s), and T d ->y c (s). The latter three transfer functions are always nominal in 
the case of actuator faults, namely 

T d ^ Zf (s) = C z (sI-A)- l B d = T d ^ z (s) 
T Uc ^ yc (s) = C(sl- A) X B = T Uc ^ y (s) 
T d ^ yc {s) = C(sl- A) l B d = T d ^ y (s). 

The only problem arises from the transfer function T Uc ^, Zf (s) - C z (sl - A)~ l B + 
C z (sl - Aj)~ 1 B / i, which differs from the nominal transfer function T Uc ^ z (s) - 
C z (sl— A)~ y B by the transfer function 



T Uc ^ ZA {s)±C z {sI-A A T l B A . 



(4.52) 



Based on Assumption l4.ll the following results about the properties of the reconfig- 
ured closed-loop system have been obtained. 



Theorem 4.9 (Reconfigured closed-loop stability recovery |202]). Consider the 
nominal linear plant ( 14.71 ) and the faulty linear plant Ii4.14\l with Cf — C, and sup- 
pose that Assumption \4~l\ holds. Problem \4.1\ is solvable by means of a linear virtual 



actuator ( 14.491 ) if and only if 

(A,Bf) is stabilisable. (4.53) 

The reconfigured closed-loop system \4.14\ , ( 14.701 ). ( 14.491 ) is stable if o-(Aa) c C_. 
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In other words, given nominal closed-loop stability, the reconfigured closed-loop 
stability depends only on the stability of the virtual actuator. The latter is determined 
by the existence of a matrix M such that the matrix Aa— A — BfM is Hurwitz. A 
stabilising solution M can thus be found using pole -plac ement algorithms I183ll226n 
or linear quadratic optimal control algorithms J9q , Ill7ll . 



Theorem 4.10 (Reconfigured closed-loop setpoint tracking recovery |202]). 

Consider the nominal linear plant ( 14.71 ) and the faulty linear plant (14.14\) with 
Cf — C, and suppose that Assumption \4~l\ holds. Problem \4.2\ is solvable by means 
of a linear virtual actuator ( 14.491 ) if and only if Condition ( I4.5JD holds and 

AB f \_lAB f B 



rank [c z oj = rank [c z o oj (454) 

Given a stabilising gain M, the gain N must be chosen according to 

N = [C Z (A - BfM)~ l B f f C Z (A - B f M) l B. 

In other words, a transmission zero is placed in the transfer function ( 14.521 ) at the 
frequency zero: T Uc -> ZA (0) = 0. 



Theorem 4.11 (Exact closed-loop performance recovery ll25Ul80Ll202lD . Con 



sider the nominal linear plant ( 14.71 ) and the faulty linear plant A4.14\) with Cf — C, 
and suppose that Assumption \4.1\ holds. Problem \4.3\ is solvable by means of a 
linear virtual actuator \4.49\ if and only if the supremal stabilisability subspace 
< V*(kerCz) c R" satisfies the condition 

imfi c <V*(kerC z ) + imfl/. (4.55) 

In other words, Condition (14.55b ensures that the fault effect can be contained in 
a controlled-invariant stabilisability subspace 'V* of the state space, which is not 
observable from the output z. Consequently, the transfer function ( 14.521 1 vanishes, 
namely T Uc ^, ZA (s) - 0. The numerically robust computation of gains M and T V tha t 
solve Problem [4.3l provided that Condition (14.55b i s sat i sfied , is described in 1 180]. 



Theorem 14. 1 II completes the previous results of H125L 120211 . since it permit s the 
anal ysis of the existence of stabilising exact decoupling solutions missing in 1112.5 , 
I202I1 . and it implies that the solution is complete, namely a stable performance- 
recovering solution is found whenever it exists. 



Theorem 4.12 (Almost trajectory recovery with stability [180]). Consider the 
nominal linear plant ( 14.71 ) and the faulty linear plant i\4.14\) with Cf — C, and 
suppose that Assumption \4.1\ holds. Problem \4.4\ is solvable by means of a linear 
virtual actuator (14.49[ if and only if the supremal almost stabilisability subspace 
"V? ^kerCz) c ]R" satisfies the condition 

{imB c <V* b (kerCy + imB f } A {(A,B f ) stabilizable}. (4.56) 
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Note that the external dynamics relative to *Vt (kerC 2 ) always need to be stabilized 
in this case (see also the proof given in il80IO . Since 'Vt 2 "V* is always true, the 
conditions for solving the almost trajectory recovery problem are less strict than 
the conditions for solving the strict trajectory recovery problem, as expected on the 
basis of the problem definitions. On the other hand, complete stabilizability of the 
system is necessary in almost trajectory recovery, whereas the weaker requirement 
of internal stabilizability with respect to l^kerCz) holds in the strict case. 

The following theorem asserts that the fault-hiding-based virtual actuator is not 
a restriction for solving the exact performance recovery problem. 

Theorem 4.13 (Universality of virtual actuators lll80ll ). IfProblem \3.2\ is solvable 
for actuator faults in an exact sense (in an almost sense), then a solution based on 
the strict fault-hiding goal and the virtual actuator \4.49\ exists in an exact sense 
(in an almost sense). 

Proof. See Appendix iDl page !257l 



Since Condition ( 14.551 1 is frequently not satisfied, an optimal performance recovery 
technique is useful in practice, therefore a solution to Problem [4.5l is also given. 



Theorem 4.14 (Optimal closed-loop performance recovery J173TI >. Consider the 
nominal linear plant \4.1\ and the faulty linear plant i\4.14\) with Cf — C, and sup- 
pose that Assumption \4~l\ holds. Problem \4.5\ is solvable by means of a linear virtual 

Y a € R mX ", N e R mxm , 



actuator \4.49\ if there exist feasible solutions X a 6 R' 
y u e R, and y z eR to the optimisation problem 



min Ay 7 + (l 

X„,Y„,N '- 



A)y u for given A € [0,1] 



(4.57) 



subject to 



(X a A T +AX a -Y T a B T f -B f Y a 


B - B f N 


Y T \ 


• 


-Jul 


N r 


I * 


• 


-Jul) 



(X a A T +AX a -YlB T f -B f Y a 


B - B f N 


x a c z 


• 


-7:1 


o 1 


I * 


•k 


-7:1) 



<0 



<0 



X a = Xl>0, 7u >l,y z >0. 
The linear virtual actuator gain M is obtained from the equation 

M=Y a X- a \ 



(4.58) 

(4.59) 
(4.60) 

(4.61) 



whereas the gain N is directly obtained from the solution of the LMIs ( 14.581 ) 
and ri?39l ). 
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The compromise between optimal output recovery and minimum input amplification 
is parameterised over the variable Ae [0, 1] that is specified by the system designer, 
where the case A - corresponds to minimum input amplification, and the case 
A — 1 corresponds to minimum performance loss. The multi-objective optimisation 
problem ( 14.57b gives rise to Pareto-optimal solutions, meaning that an improvement 
with respect to one of the goals cannot be attained without a drawback on the other 
goal. 

In summary, necessary and sufficient conditions for the solvability of the 
problems I4.1H4.3I are available along with procedures for computing the gains of 
the reconfiguration block in order to solve the corresponding problem whenever it 
is solvable. The Problem 14.51 is an exception in the sense that sufficient but non- 
necessary conditions are available. The lack of necessity follows from the unification 
of the variables X a and Y a in the constraints ( 14.581 ) and ( 14.59b of the multi-objective 
optimisation problem l4.57l Dropping one of the two optimisation objectives recov- 
ers the feasibility of the corresponding LMIs as a necessary and sufficient condition. 



Example 4.4 (Linear virtual actuator for the ship). The ship model ( I7.7I )-( T7~41 ) 
has been linearised, providing the model elements ( 14. <SI ), ( 14. 91 ). First, a reconfig- 
urability analysis reveals which faults can be recovered from the perspective of 
linear models. In the case of the rudder failure f$, the pair (A,Bf) remains con- 
trollable, therefore also stabilisable, where Bf has been defined in Equation < \4.17\) 
on paee Wl] Thus, Problem \4.1\ is solvable by Theorem \4. 91 

The Condition ( 14.541 ) for setpoint tracking recoverability evaluates to the ranks 



rankle J =6 = rank' 



C 7 



C 7 



therefore setpoint tracking recovery is solvable by Theorem \4.10\ This result coin- 
cides with the intuition that after a blocked rudder, control over the yaw motion can 
be regained by using differential thrust on the left and right thrusters. 

The relevant spaces in Condition ( 14.551 ) for exact performance recoverability are 



imB = span 
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, im Bf = span 
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and it can be verified that Condition ( 14.551 ) is satisfied. By Theorem \4.10\ exact 
performance recovery is possible. The result means that a virtual actuator exists 
that contains the remaining fault effect within the sway motion w, were it is not 
visible through the relevant output z. 

The solvability of optimal performance recovery according to Theorem \4.14\ 
is illustrated in Fig. \4.9\ In the figure, the achievable compromise in terms 
of j u ,Jz, is shown for various levels of rudder gain loss Bf — [by b2 (xbjj, 
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a e {0,0.2,0.4,0.6,0.8} and different compromise parameters A. Clearly, increasing 
loss of rudder effectiveness can only be recovered by means of increasing thruster 
usage. 
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Fig. 4.9 Reconfigurability analysis for nonlinear ship subject to rudder degradation of vary- 
ing degree. Points in the lower left corner indicate best reconfigurabiliy, points in the upper 
right corner indicate worst reconfigurability. 



The response of the nonlinear ship model subject to abrupt rudder failure at 
tf — 20 s is shown in Fig. \4.10\ The controller was reconfigured by inserting a linear 
virtual actuator H4.49J into the closed-loop system, which was designed for exact 
performance recovery using Theorem \4.11\ As expected, the virtual actuator uses 
the redundancy of differential thrust to manipulate the angular velocity r. However, 
the input signals u\, U2, and M3 show that the thrust levels Uf that the virtual actu- 
ator outputs exceed the saturation bounds several times, so that the effective inputs 
are the cut-off dashed signals shown in the lower three axes of Fig. \4.10\ In other 
words, the linear virtual actuator does not respect the saturations, causes large am- 
plification of the control input, and induces oscillations in surge velocity and yaw 
rate. Due to the unmodelled saturations, the performance is not exactly recovered 
in practice, because that requires too large input signals. 

Fis. \4.1I\ shows the motion of the ship with reconfigured controller, which is ca- 
pable of avoiding the obstacle and return to its old course due to the reconfiguration. 

The exact performance recovery problem after actuator faults can sometimes also 
be solved based on a simplification M — and y c -yf of the full dynamical virtual 
actuator ( I4.49I ) to a static virtual actuator 



u f (t) = Nu c (t) 



(4.62) 
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Fig. 4.10 Response of nonlinear ship subject to rudder failure and control reconfiguration. 



that is placed between the controller output u c and the faulty plant. The recover- 
ability of nominal closed-loop performance is characterised in terms of Markov 
paremeters by the following theorem, which uses the observability matrix 



t c \ 


CA 


£A n ~\ 



(4.63) 



Theorem 4.15 (Markov-p aram eter-based exact closed-loop performance re- 
covery using static block IJ171II ). Consider the nominal linear plant ( 14.71 ) and the 
faulty linear plant \4.14\ with Cf — C, and suppose that Assumption I4.il holds. 



4.7 Combination of Virtual Sensor with Virtual Actuator 
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Fig. 4.11 Motion of nonlinear ship subject to rudder failure and control reconfiguration. 



Problem \4.3\ is solvable by means of a static virtual actuator \4.62\i if and only if the 
condition 



rankiSoBf) - rankiSoBf SoB) 
is satisfied, where the corresponding gain is 

N = (SoBj) + S B. 



(4.64) 



(4.65) 



4.7 Combination of Virtual Sensor with Virtual Actuator 

The simultaneous occurrence of actuator and sensor faults is now considered. To 
reconfigure this class of faults, the virtual sensor and virtual actuator are combined, 

k f (t) = A s x f (t) + B f Uf(t) + Ly f (i) 

Sc(t) =Py f (t) + C 6 Xf(t) 

\x A (t) =A A x A (t) + B A u c {t) (4.66) 

u/(t) = Mx A (t) + Nu c (t) 

yjf) =y c (t) + Cx A (t), 

with x/(0) = Xffl, x A (0) - x A q, and where Ag, Cg, A A , and B A are defined in 
Equations ( 14.27b . (14.28b . ( 14.50b . and (14.51b . respectively. The combination of the 
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reconfiguration block ( 14.66b with the faulty plant (14.14b and a state transformation 
to the observation error e(t) - x/(t) - Xf(t) and the fictitious state x(t) = X/(f) + X/i(t) 
leads to the model of the reconfigured plant 
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z f (t) =(C t -C z )(x(t) e(t) x A (t)f . 

This model shows that the asymptotic fault-hiding goal is achievable with the ini- 
tialisations x/fl = xq and xao - 0. Straightforward calculations show that the transfer 
function relations T Uc ^>y c (s) - T Uc -, y (s) and Td->zA s ) = Ta-> z (s) are satisfied. It re- 
mains to recover the transfer functions T Uc ^ Zf {s) and T,i-yy c (s) to their nominal 
counterparts. 

The separate results and conditions regarding stability recovery, setpoint tracking 
recovery, and performance recovery also apply to the case of combined sensor and 
actuator faults. Instead of repeating all these results, the interesting case for exact 
performance recovery is explicitly stated. 

Theorem 4.16 (Exact closed-loop performance recovery after combined sensor 
and actuator faults 1 180]). Consider the faulty linear system A4.14J with both actu- 
ator and sensor faults. Problem \4.3\ is solvable iff the infimal detectability subspace 
S*(imB d ) and the supremal stabilisability subspace r V*(kerC z ) C JR." satisfy the 
Conditions ( 14.331 ) and ( 14.551 ). 

In other words, trajectory recovery is achievable iff the disturbance decoupled es- 
timation problem and the disturbance decoupling of the output correction problem 
are both solvable. 

Remark 4.1. It may appear that the trajectory recovery problem for combined actu- 
ator and sensor faults were equivalent to the stable disturbance decoupling problem 
for measured disturbance (DDPM). The latter problem is solvable iff S*(\mBd) Q 
r V*{kexC z ), which is stricter than the solvability of trajectory recovery after actua- 
tor and sensor faults as derived above. The reason is that DDPM refers to a different 
control structure: The controller uses only output measurements to determine the 
control input, while the combination of a virtual actuator and a virtual sensor allows 
more freedom. Indeed, the virtual actuator uses the full state of a difference sys- 
tem prediction to emulate the missing control input that was lost due to the actuator 
faults. Hence, it is not necessary that S* C < V* which is the key to the separation 
result. 
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Finally, a global algorithm for coordinated application of the results presented in 
this chapter is sketched. Since the virtual sensor and the virtual actuator both satisfy 
the inactivity conditions and therefore qualify as reconfiguration blocks in the sense 
of Definition l3.5l they can both be implemented according to Equation ( 14.661 ) as part 
of the feedback control loop from the outset by setting them inactive. As soon as a 
fault is isolated, the fault models Bf and C/ are constructed. 

In order to test the recoverability from the sensor faults, the condi- 
tions (14.44b . (14.46b . ( 14.33b . (14.32b . and ( 14.31b are checked in this sequential order 
in order to find out which is the strongest achievable reconfiguration goal based on 
the simplest-possible virtual sensor (where static virtual sensors are preferred over 
dynamical ones). Likewise, to test the recoverability from the actuator faults, the 
conditions (14.64b . (14.55b . (14.54b . and (14.53b are checked in this sequential order in 
order to find out which is the strongest achievable reconfiguration goal based on the 
simplest-possible virtual actuator (again, static virtual actuators being preferred over 
dynamical ones). The solvability results are typically reported to the plant operators 
at a higher supervision level. 

The gains for the linear virtual sensor and actuator should be computed as so- 
lutions of the optimisation problems ( 14.36b and ( 14.57b . which may be solved in 
parallel with the solvability tests. This recommendation is due to the fact that exces- 
sive control input signal amplitudes are avoidable by careful selection of the weight 
parameter A exclusively in this method. As soon as the resulting gains are available, 
the linear virtual sensor and the linear virtual actuator are updated. 



4.8 Comparison of Virtual Actuator and Dual Observer 



In this section the relationship bet ween the dual observer introduced in [ 1 121^| and 



the virtual actuator introduced in [202] is studied. Both systems distribute control 
signals from unavailable inputs to available ones. In this sense, they are the opposite 
of state observers, which reconstruct complete state information from partial mea- 
surements. It is shown in this paper that the dual observer is a particular case of the 
virtual actuator. 

In 1962, Rosenbrock emphasised the importance of extending the design of feed- 
back controllers beyond the stabilisation problem in order to influence the input- 



output (I/O) behavior of the closed-loop system [ 18311 . The perfect pole assignment 
that he proposed is achievable by means of state-feedback control if the whole sys- 
tem state is measurable (full-state sensing), or by means of output injection control 
if the controller has access to the innovations of all state variables (full-state actua- 
tion). These situations are shown on top of Fig. l4~T2l and denoted by state feedback 
or output injection, respectively. 

The fundamental implementation problems of these control structures are the 
unavailability of all states for measurement on the one hand, and limitations to inde- 
pendently influencing all state innovations on the other hand. The former problem 



In 1 112], Luenberger credits the dual observer to an unpublished manuscript by F. M. 
Brasch. 
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Fig. 4.12 Dual control realisation problems. 
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led to the development of the state observer IlloUlllh . which provides the missing 
state information and represents a well-interpretable design procedure for obtaining 
dyna mical compensators B3UI32I1 . The latter problem gave rise to the dual observer 
1 112[], which approximates the missing control action by means of the available 
control channels. In both cases, a static feedback control law K is replaced by a 
dynamical compensator K(s) (bottom of Fig. 14.12b . The introduction of new poles 
into the feedback loop by the controller K(s) is the price paid for enhancing the de- 
sign freedom in order to tailor the I/O behavior according to the given closed-loop 
specifications. 

The observer design problem and the role of state observers in the feedback loop 
have attracted much attention since that time. This attention is partly due to the sim- 
plification of the overall compensator synthesis due to the separate design of the 
observer and the state-feedback controller. However, the dual problem of influenc- 
ing the innovations of all state variables by means of a dynamical component in the 
feedback loop has not been thoroughly studied. This is surprising because one could 
expect an equal interest in both problems due to the well-known duality^ between 
observability and controllability, which are the plant properties that enable arbitrary 
pole assignment. The lack of interest might be explained by the fact that the dual 
observation problem was perceived as a particular case of the compensation prob- 
lem. The dual observer is next introduced, starting with the definition of the output 
injection realisation problem. 

Output injection realisation problem. Consider the output injection control law 

u(t) = L(y(.t) + Vr(i)) (4.67) 

for the system (14.11 ) (Fig. l4.13"1 l. which yields the closed- loop system ( 14. It . ( 14.671 1 

*(0 = (A + LC)x(t) + LViit) (4.68) 



A broad and detailed treatment of duality is available in 11131 



4.8 Comparison of Virtual Actuator and Dual Observer 
whose transfer function from r to y, 

G r ^y(s) = c(sI-(A + LC))' 1 LV, 
has the poles assigned by the appropriate choice of the matrix L. 
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(4.69) 
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Fig. 4.13 Output injection realisation problem. 



It is known that the eigenvalues of (A + LC) can be assigned arbitrary (stable) val- 
ues by a s uitable choice of L if and only if the pair (C, A) is observable (detectable) 
1 112lll48ll . Output injection control ( 14.671 1 is immediately implementable if all state 
innovations are directly accessible as shown in the upper right diagram of Fig. l4.12l 
where L is called K. Furthermore, the output injection ( 14.67b is implementable on 
the plant (14.1b . if L can be factorised into L - BL, which is possible if and only if 
the condition 



imLc imZ? 



(4.70) 



is satisfied (Fig. 14.13b . Otherwise, the pole assignment for the transfer func- 
tion ( 14.691 1 can only be approximately realised in the sense that the realisation intro- 
duces new, freely assignable poles into the closed-loop system. 



Problem 4.6 (Approximate output feedback realisation 1 112]). Consider the sys- 
tem ( 14.11 ) the output injection ( 14.671) . and suppose that Condition ( 14.70b is not sat- 
isfied. Realise the output feedback by means of a dynamic controller such that the 
transfer function G r -> y (s) of the closed-loop system from r to y has the eigenvalues 
of the matrix (A + LC) as dominating poles. 



Dual observer approach. Problem l4T6l is addressed in 111211 and 1114811 by means of 
the dual observer (Fig. l4.14b 



-DO 



<s(t) =Fs(t) + Jw(t) 

u(t) =Ms(t) + Nw(f) 

w(t) =y(t) + Cs(i) 

w(i) =w(t) + Vr(t) 

with the initial condition s(0) = zo subject to the constraints 

F = A- BM. 
J=L-BN 



(4.71) 



(4.72) 
(4.73) 
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Fig. 4.14 Dual observer for dynamically realizing output injection. 



The dual observer mimic s the effect of the missing control input u by using the 
existing input u (see also II134I0 . 



Theorem 4.17 (Output feedback realisation by a dual observer [112]). The dual 
observer A4.7U with the constraints H4. 721 1. H4. 73[ solves Problem \4.6\ Furthermore, 
the constraints \4. 72i , i\4. 731 have a solution in M and N such that F has ar- 
bitrarily given (stable) eigenvalues, if and only if the system ( I4.il ) is controllable 
(stabilisable). 



The system ( 14.71b is called a dual observer in 111211 because it solves a problem that 
is dual to state observation, as illustrated in Fig. 14.121 



Remark 4.2. In B112L Th. 5], complete observability is stated as an additional con- 
dition for dual observer synthesis (the statement refers to reduced-order dual ob- 
servers, to be precise). However, Luenberger considered the free pole placement 
problem for the entire closed-loop system, whereas we consider the matrix A + LC 
as given. 

Synthesis. The degrees of freedom lie in the choice of M and N. They are used as 
follows in the design process. The system poles affected by the output feedback are 
determined by choosing the matrix L. Then the dual observer poles can be assigned 
by choosing F, which determines the gain M. Finally, it is possible to move the 
system zeros by changing N. Often N = is chosen. 

Remark 4.3. The dual observer was originally proposed in [112] as a governor for 
a linear function s of the plant state x (estimate Jc = Ts). Without loss of generality 
and for the sake of clarity, this transformation is here assumed to be the identity: 
7 = 7. 
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Remark 4.4. The l ast equation of the dual observer (14.711 ) is different in the original 



definition in II112H . where w - w holds. The reference signal r is added here to em- 
phasise that the eigenvalues added by the dual observer affect the transfer functions 
G r ^, y (s), but are structurally hidden from G r -> w (s). 

Comparison with virtual actuator. The following corollary to Theorem l4. 1 71 first 
mentions a special context for the virtual actuator that establishes identity between 
the dual observer and the virtual actuator. 

Corollary 4.1 (Virtual actuator generalises dual observer). The virtual actuator 
used with unity feedback is identical to the dual observer. 

Proof. The statement follows from attaching unity feedback u c (t) = y c (t) + Vr(t) to 
the virtual actuator ( 14.491 1 and comparison to the dual observer (14.71b . The closed- 
loop systems are identical up to signal name exchanges s — > x^, w — > u c , u — > Uf, 
w — > y c , and v — > v/-, and the matrix variable exchanges B — > Bf and Z, — > B. ■ 

Note that, in addition, the virtual actuator ( 14.491 1 with attached static linear state- 
feedback u(t) - Ky(t) + Vr(t) is equivalent to the system xj(f) - Fx/i(t) + JKy c (t) + 
K + Vr(t), Uf(t) - Mxa(0 + NKy c (t) + K + Vr(t), which is identical to the dual ob- 
server (14. 7U . However, such unifying transformations are not possible with dy- 
namical or nonlinear controllers, which highlights the generalisation of the virtual 
actuator. This generalisation is largely due to the external signals u c and y c , which 
are constrained to u c - y c in the dual observer. 

Although the motivations for dual observer design and virtual actuator design 
differ, the main differences, apart from the restriction of the dual observer to unity 
feedback, concern the notation. The desired input matrices that appear in the con- 
straints ( 14.72b and ( 14.50b are distinct and denoted by L in output feedback reali- 
sation, and by B in control reconfiguration after actuator faults. The given input 
matrices to the given plants differ, called B in output feedback realisation and Bf in 
control reconfiguration. 



4.9 Extensions and Discussion 

Further extensions have been worked out both for actuator faults and sensor faults 
in linear systems. These extensions, which are not described here in detail, concern 

• synthesis strategies based on Markov-paramet er de scriptions of the nominal and 



faulty system for dynamical virtual actuators 117511 , and 



• reduced-order virtual actuators and virtual sensors [ 124]. 

Note that all solvability conditions stated in this chapter depend only on the para- 
meters of the nominal and faulty plants. Therefore, reconfigurability is a pure sys- 
tem property. In particular, it does not depend on the nominal controller. This feature 
is a consequence of the formulation of the Problems 14.1144.51 independently of the 
controller. 
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Problem 14.51 on optimal performance recovery is by definition always solvable. 
If the exact performance recovery problem is solvable, then the solutions computed 
based on the optimisation approaches given in Theorem 14.141 (actuator case) and 
given in Theorem l4.7l (sensor case) correspond to the exact performance recovering 
solutions based on geometric theory in Theorem 14.111 (actuator case) and in The- 
orem |4j4] (sensor case). The geometric conditions are highly useful for analysing 
a priori which fault scenarios are reconfigurable in what sense, whether or not the 
parameters for the virtual actuator and virtual sensor are computed based on the 
same theorem. Provided that LMIs can be efficiently and reliably solved online, 
the use of the optimisation approaches is an attractive alternative, since the choices 
of target poles or weight matrices that are necessary for pole placement and lin- 
ear quadratic synthesis are replaced by the choice of a scalar parameter A, which is 
considerably less complex and therefore easier. 

The universality of th e linear virtual actuator and the linear virtual sensor has 
been first shown in 1 180]. The significance of this result consists in the assertation 
that choosing the fault-hiding principle is not restrictive. The relation between the 
virtual actuator and the dual observer has been first discussed in 117611 . 

In summary, this chapter has demonstrated that the theory of reconfigurable con- 
trol based on fault-hiding approaches can be considered as fairly complete for linear 
systems, concluding Part I of this monograph. Reconfiguration solutions for the 
exclusive and combined occurrence of actuator and sensor faults based on the fault- 
hiding approach are available, and necessary and sufficient solvability conditions 
for the stability recovery , trac king recovery, and performance recovery problems are 



known. The case study 1117711 has revealed two properties of the linear fault-hiding 
approach in the context of a process control application. First, the fault-hiding prin- 
ciple is in principle practically feasible. Second, the linear approaches have the fol- 
lowing significant limitations if the plant exhibits significant nonlinear behavior: 
linear systems cannot express physical constraints on control inputs, and they can- 
not represent nonlinear dynamics. Consequently, linear systems cannot represent 
certain practically important fault types that require nonlinear descriptions. 

The purpose of the next two parts consists in the extension of these ideas towards 
two classes of nonlinear dynamical systems, namely towards Hammerstein- Wiener 
systems (Part II), as well as towards piecewise affine systems (Part III). The exten- 
sions preserve many of the main ideas and advantages of the fault-hiding principle, 
but due to the absence of the superposition principle in nonlinear systems, certain 
subst antial differences are unavoidable. The process control application studied in 



1 17711 is revisited in Part IV of this monograph, where advances and improvements 



of the new nonlinear methods over the linear methods are demonstrated. 



Part II 

Reconfigurable Control of 

Hammerstein- Wiener Systems 



In this part, the reconfigurable control problem is solved for the class of Hammer- 
stein- Wiener systems. The main motivation for studying this class of systems is the 
presence of saturation constraints on the input signals. Actuator and sensor faults 
may occur simultaneously in this approach. Solutions are given with respect to the 
problems of recovering closed-loop stability and asymptotic tracking. All solutions 
are based on the fault-hiding principle. 



Chapter 5 

Control Reconfiguration Problem for 

Hammerstein- Wiener Systems 



Abstract. This chapter defines Hammerstein-Wiener systems and the nominal 
closed-loop system. It is shown how faults are modelled in Hammerstein-Wiener 
systems, and the reconfiguration problem is stated for the class of Hammerstein- 
Wiener systems. Bibliographic notes on these systems conclude the chapter. 



5.1 Nominal Hammerstein-Wiener Systems 

Hammerstein-Wiener systems are an extension of linear systems that can express 
static nonlinear aspects of the system. 



Definition 5.1 (Hammerstein-Wiener system [150]). A Hammerstein-Wiener sys- 
tem is a system of first-order ODEs 

'x(t) = Ax(t) + Btp(u c (t)) + B d d{t) 

y(t) = h(Cx(t)) (5.1) 

z(t) =h z (C z x(t)), 



where all signals are in accordance with Definition 13.21 all matrices are in accor- 
dance with Definition l4.ll and where tp : R™ — » R™ is a memoryless nonlinear input 
function, h : R" — > R ? is a memoryless nonlinear function for the measured out- 
put, h z : R" — » R p (Fig. l5.U is a memoryless nonlinear function for the controlled 
output, and 

x(0) = xo (5.2) 

is the initial condition. o 

Hammerstein-Wiener systems are adequate system models whenever the nonlinear 
system under consideration may be approximately described by linear dynamics and 
separate nonlinear distortions of the input and output channels. This viewpoint may 
arise from physical insight into the system, such as it is the case when considering 



J.H. Richter: Reconfigurable Control of Nonlinear Dynamical Systems, LNCIS 408, pp. 89 ]-95.| 
springerlink.com © Springer- Verlag Berlin Heidelberg 2011 



90 



5 Control Reconfiguration Problem for Hammerstein-Wiener Systems 





• R 


- n \ 


\K\ 




• n j 




z 


— » ip 


*• B — +Q — «- f — * 

T 


Ju^]— 


h 






1 A *J 







Fig. 5.1 Hammerstein-Wiener system. 



the saturations that typically apply to inputs in technological systems. For the out- 
puts, such a perspective arises, for example, when a measured quantity is a nonlinear 
function of a state variable, such as the electrical conductivity of salt water, which 
depends on the salt concentration and on the temperature of the water. 

The class of saturated systems is obtained from the class of Hammerstein-Wiener 
systems by choosing the decomposed saturation function ( 12.11 ) as input nonlinear- 
ity (<p(-) = sat(M,M, ■)), and the identity function as output nonlinearities (h(y) = y, 
h z (z) = z). 

Definition 5.2 (Saturated system). A saturated system is a system of first-order 
ODEs 



x(t) - Ax(t) + B sat(u_,u,u c (t)) + Bdd(t) 
y(t) =Cx(t) 
z(t) =C z x(t), 



(5.3) 



where all signals are in accordance with Definition 13.21 all matrices are in accor- 
dance with Definition l4.ll where the saturation function u s - sat(«, h,h), 



UsA = 



Uj if Ui < M- 

Uj if Uj < Ui <u 
Uj if u; < u 



'i, 



was first defined in Equation (12. lb . and where u and u are vectors defining lower 
and upper input signal range limits. The initial condition is ( 15.21 ). o 

Example 5.1 (Hammerstein model of a ship). Since the ship has input range lim- 
its, a Hammerstein model of the ship model ( l7.iD -f T7?4l ) has the form of a saturated 
system ( 15. JD . The parameters ( I4.<SD , ( 14.91 ) of the linearised model are used for the 
linear dynamical part of the model, and the input range limits are u — (—1 — 1 — 1) 
andu- (1 1 l) r . 



5.2 Nominal Closed-Loop System and Assumptions 



Consider the nominal Hammerstein-Wiener controller Eq for the nominal Hammer- 
stein-Wiener plant ( 15.1b . 
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'x c (t) = A c x c {t) + B c <p y (y(t)) + E c <p r (r(t)) 
u c (t) = C c x c {t) + D c <p y (y(t)) + F c ip r (r(t)) (5.4) 

u c {t) = h u (u c (t)) 

x c (0) = x c0 

with the internal state x c (t) e H" c , the reference input r{t) e R g , the nonlinear in- 
put functions <p y (-) and <p r (-), and the nonlinear output function h u {-). The nominal 
Hammerstein- Wiener plant (15.11 1 together with the nominal controller ( 15.4b gives 
rise to the nominal closed-loop system (2/>,2c). 

The following assumptions about the system (15.1b are in place throughout this 
chapter. 

Assumption 5.1 (Sector-bounded Lipschitz input function). The function <p(-) in 
the system ( 15.71 ) is assumed to be globally uniformly Lipschitz, to be decomposed 
up(u c ) - (ipi(u c i), ■ ■ ■ ,(pm(ucm)) T ) and to lie within a sector [0, k v ] with the vector of 
upper sector bounds k v = (k^i , . . .,k,prn). 

Assumption 5.2 (Sector-bounded Lipschitz output function). The function h(-) 
in the system ( 15.71 ) is assumed to be globally uniformly Lipschitz, to be decomposed 
\h{y) = (h\(y\),. . .,hq(yq)) T \ and to lie within a sector [0,A:/,] with the vector of 

upper sector bounds k/, = (khi,---,khq). 

The previous two assumptions exclude functions with infinite gain, as well as func- 
tions whose output reverse the sign of the input. 

The sector bounds k^ and kf, of the decomposed functions <p(-) and h(-) are ex- 
pressed in the diagonal matrices S^ and S/, as follows: 

S^ = diag(S V i) where S v i = l /kpi, i=l,...,m (5.5) 

Sh =diag(S/„) where S hi - l/k hi , i=l,...,q. (5.6) 

Assumption 5.3 (Stabilising and setpoint tracking nominal control). The nomi- 
nal closed-loop system Ei — (Ep,Ec), formed by the nominal Hammerstein-Wiener 
plant ( 15.71 ) and the nominal Hammerstein-Wiener controller ( 15.41 ), is IOS with re- 
spect to the input (r, d) and the output (x, u c ). Furthermore, the tracking error 

e z (t)±r(t)-z(t) (5.7) 

satisfies certain desirable steady-state tracking and performance properties for ar- 
bitrary initial conditions xo and :c f o- 

The previous assumption means that bounded reference and disturbance inputs lead 
to bounded state variables and control inputs. This assumption is not restrictive in 
technological control applications. The achievable nominal tracking properties de- 
pend on the nonlinear functions of the plant. For saturated systems in particular, 
tracking and disturbance rejection are local properties that are achievable on ly fo r 



reference signals and disturbances that lie inside certain regions of attraction 11850 . 
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5.3 Faults in Hammerstein-Wiener Systems 

In this section, faults are introduced into the Hammerstein-Wiener system model 

(53) . 

Definition 5.3 (Actuator faults in Hammerstein-Wiener systems). An actuator 
fault in a Hammerstein-Wiener system is an event occurring at time tf that changes 
the nominal input matrix B e R" x '" to the faulty input matrix Bf e R" xm of the same 
dimensions, and the nominal nonlinear input function <p(-) to the faulty nonlinear 
input function ¥>/(■)• ° 

Definition 5.4 (Sensor faults in Hammerstein-Wiener systems). A sensor fault 
in a Hammerstein-Wiener system is an event occurring at time tf that changes the 
nominal measurement matrix C e 1R <?X " to the faulty measurement matrix Cf e R qx " 
of the same dimensions, and the nominal nonlinear output function h(-) to the faulty 
nonlinear output function hf(-). o 

Therefore, the nominal Hammerstein-Wiener system ( 15. U changes to the faulty 
Hammerstein-Wiener system 

'*/(*) = Ax f(t) + Bfiff (uf(tj) + B d d(t) 
Zpf.hf® =h f (C f Xf(t)) (5.8) 

z f (t) =h z (C z x f (t)) 
x f (Q) = x . 

The modification of the input and output matrices Bf and Cf is the same as for lin- 
ear systems described in Section 1431 also concerning the blockage off the operating 
point. The nonlinear input function <pf(-) and the nonlinear output function &/(■) 
reflect, for instance, changed nonlinear actuator or sensor characteristics or modi- 
fied actuation range. Table 15. ll summarises the expressiveness of the Hammerstein- 
Wiener fault model. Clearly, more fault types are representable by these systems 
than by linear systems. The fault types expressible in Hammerstein-Wiener systems 
but not in linear systems are highlighted by means of circled checkmarks. 

In particular, the saturated system (15.3b changes to the faulty saturated system 



Z. 



Pf 



Xf{t) =Axf(t) + Bfsat(ur,Uf,Uf(t)) + Bdd(t) 

y f (t) =C fXf (t) (5.9) 

z f (t) =C z x f (t), 



where the saturation function is nominal but its range arguments change. 

Example 5.2 (Hammerstein-Wiener model of ship subject to faults). The satu- 
rated system model of the faulty plant has the same model elements Bf, Cf, and 
dfp as the linear model < \4. 1 91 ) of the faulty ship. Furthermore, the reduced actu- 
ation range of the left thruster (fii) can be modelled without leaving the class of 
Hammerstein-Wiener systems. The range of the left thruster is reduced to ±60%, 
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Table 5.1 Technological faults representable by Hammerstein- Wiener fault models. 



Technological fault 


Representable 


By model parameter 


Changed actuator gain 


y 




*/ 


Changed nonlinear actuator characteristic 







¥>/(•) 


Changed or reduced actuation range 







¥>/(•) 


Actuator failure at the operating point 


y 




*/ 


Actuator failure off the operating point 


(/) 


2;g^i 


bjuj (affine) 


Changed sensor gain 


y 




Cf 


Changed nonlinear sensor characteristic 







*/(•) 


Sensor failure 


/ 




Cf 



Legend: /: fully representable; (7): exclusively representable in this system class; 
(y); representable leaving the system class; x: not representable. 



u\ G [-0.6 0.6]. This reduction is modelled by means of a modified saturation func- 
tion sat(Ur,Uf,Uf), where u_ f — 1—0.6 —1 — 1) anduf = (0.6 1 lj. The entire satu- 
rated faulty system is described by the equations 

Xf(t) - Axf(f) + Bfsat(u^,Uf,Uf(t)) + dfp + Bdd(t) 

y f (t) =C fXf (t) (5.10) 

Zf (t) = C z x f (t). 

The fault f$ meaning a floating rudder is obtained by the special case p — 0. 



5.4 Specific Reconfiguration Problems 



The reconfiguration block (13. 2U is a nonlinear dynamical system consisting of a 
Hammerstein- Wiener virtual actuator and a Hammerstein- Wiener virtual sensor. 
The virtual sensor is strictly speaking not a Hammerstein- Wiener system because 
its dynamics include output error injection. The reconfiguration block ( 13.211 ) has the 
form 



^(t) = A,-at) + <Pr( (£«) + B r ip ru (u c (t)) + Erf fit) 

y c (t) =h ri {C r at)) + hry(F r y f {t)) 
u f (t) =Gr£(t) + H r u c (t), 

f (0) = <To 



(5.11) 



that is connected to the faulty Hammerstein- Wiener plant (15.8b through their 
common variables Uf and yf as well as to the nominal controller ( 15.41 ) through 
the common variable u c and the interconnection y(t) - y c (t). The faulty plant, the 
reconfiguration block, and the nominal controller form the reconfigured closed-loop 
system (E P f,E R ,E c )- 
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The reconfiguration problems l3.3M3.4l and [33] stated in Chapter [3] are now spe- 
cified for Hammerstein-Wiener systems, starting with stability. 

Problem 5.1 (Stability recovery for Hammerstein-Wiener systems). Consider 
the nominal Hammerstein-Wiener plant Zp defined in Equation ( 15.1b and the faulty 
Hammerstein-Wiener plant Zpf defined in Equation ( 15.81 ). Find a reconfigured block 
Zr of the form ( 15.11b such that 

V2b : {(Z P ,Z C ) ISS w.r.t. (r,d)} => {(Z Pf ,Z R ,Z c ) ISS w.r.t. (r,d)}. 



Problem 13.41 will be considered for the special class of saturated systems, which 
form a subclass of Hammerstein systems. 

Problem 5.2 (Stable asymptotic setpoint tracking recovery for saturated sys- 
tems). Consider the nominal saturated plant Zp defined in Equation (15.3b and the 
faulty saturated plant Zpf defined in Equation (15.9b . Find a reconfiguration block 
Zr of the form (15.11b such that for all nominal controllers Zc satisfying Assump- 
tion l4.ll the reconfigured closed-loop system is ISS w.r.t. the input (r,d), namely 

VZ C : l(Zp,Z c ) ISS w.r.t. (r,d)} => {(Z Pf ,Z R ,Z c ) ISS w.r.t. (r,d)}, 

and such that for constant disturbances d(t) - dp(t), constant reference inputs r(t) - 
fp{t), and arbitrary initial conditions xq and x c q of the plant and the controller, it 
holds that 

{lim(r(0-z(0) = 0}=> {fim(r( f )-z/(f)) = o}. (5.12) 

Problem 5.3 (Optimal stable performance recovery for saturated systems). 
Consider the nominal saturated plant Zp defined in Equation (15.3b and the faulty 
saturated plant Zpf with initial condition xq defined in Equation ( 15.9b . Find an op- 
timal reconfiguration block Zp* such that the reconfigured closed-loop system is 
ISS w.r.t. the input (r,d), and such that, for all nominal controllers Zc satisfying 
Assumption [531 a tradeoff Ay z + (1 - A)y u parameterized over X e [0, 1] is attained 
between 

1. Optimal approximation of the closed-loop output trajectory in the sense that if 
z* f is the output obtained with Zr* and Zf is the output obtained with any other 
reconfiguration block Zr, then 

v m r llz('>-*) (f)| lfr J\m-z f (t)\\ £2 

\/u c (f),x ,xco,€o ■ jz = — n — 77TH — rr^i (5 - 13) 

Hbc(0IIx 2 II«c(0IIx 2 

holds, and 

2. Minimal amplification of the input signal in the sense that if u* f is the control 
input obtained with Zp* and Uf is the control input obtained with any other 
reconfiguration block Zr, then 
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u r, r 1 II"}«HX2 ll«/(0llx 2 ,-,„ 

Vn c a),xo,Jfd),& : 1 < y« = ,, ', < ,, ' ■ (5.14) 

IIk c (?)Hx 2 IImc(0IIx 2 



The solution to Problems l5. 1115.21 and !5.3l will be discussed in Chapters[6l|7J and[8j 
respectively. The stability recov ery fo r Hammerstein systems based on fault-hiding 



principles was first reported in B172I1 . The tracking recovery methods are first re- 



ported in II17411 . 



5.5 Bibliographic Notes on Hammerstein-Wiener Systems 

Hammerstein-Wiener systems are linear dynamical systems with static nonlinear 
functions acting on the input and output signals. They have been used, for example, 
to model t he m agneto sphere around the earth [150], to model pH neutralisation 



processes [154], distillation columns, heat exchangers, stirred reactors, and other 



nonlinear industrial processes [22]. 

Several approaches to the identification of Hammerstein-Wiener systems have 
been reported in the literature. A three-stage iterative least-squares approach that 
first estimates the Hammerstein-subsystem, second identifies the Wiener-nonlineari- 
ty, and third optimises the selection of nonlinear basis functions from a candidate set 
is described in [150]. The method also accounts for missing data. Other approaches 
are based on subspace identification and least-squares support vector machines B6911 . 
Further related literature may be found within the two previous references. 

To control Hammerstein-Wiener systems, several approaches have been taken 
that typically depend on further assumptions about the nonlinear functions. If these 
functions are invertible, linearising control has been applied that consists of simple 
inverse functions of/ and h placed in the input and output channels. The remaining 
linear subsystem may be controlled by means of any suitably designed linear con- 
troller [150]. Alternatively, model-predictive control has been applied, where the 
main difficulty consists in formulating the control problem in such a way that the 



underlying optimisation problem is convex [22]. 

The presen ce of saturations in the Hammerstein nonlinearity complicates the con- 
trol problem 0185I1 . The stability analysis in terms of necessary and sufficient con- 
ditions and the synthesis of stabilising controllers for saturated systems are known 
to be undecidable problems for saturated systems, unless the system matrix is sym- 
metric 12311 . 

This review shows that Hammerstein-Wiener systems are practically relevant, 
and that their control is nontrivial. The reconfigurable control of these systems 
has not been studied before to the author's knowledge. The undecidability prop- 
erty implies that necessary and sufficient reconfigurability conditions are not to be 
expected, and are indeed not achieved in this monograph. However, sufficient sta- 
bilisability conditions are provided in this monograph along with synthesis algo- 
rithms for recovering the nominal closed-loop stability, tracking, and performance 
properties. 



Chapter 6 

Stability Recovery after Actuator and Sensor 

Faults in Hammerstein- Wiener Systems 



Abstract. This chapter provides the solution to the stability recovery problem after 
combined actuator and sensor faults in Hammerstein- Wiener systems. The structure 
of the reconfiguration block is defined, and sufficient conditions are stated that guar- 
antee the input-to-state stability of the reconfigured closed-loop system. These con- 
ditions are also used for the synthesis of the free reconfiguration block parameters. 
The special cases of pure actuator or sensor faults that give rise to simplified recon- 
figuration blocks are separately discussed. These solutions are shown to be robust 
against uncertain models of the faulty system, and they are shown to be universal 
solutions to the stated reconfiguration problems. 



6.1 Hammerstein- Wiener Virtual Actuator and Virtual Sensor 

For the combined occurrence of actuator and sensor faults (Bf + B, Cf + C), the re- 
configuration block ( 15.111 ) is realised by the interconnection of the following virtual 
sensor £$ an d virtual actuator Ea (Fig. 16. lb . 



Definition 6.1 (Hammerstein- Wiener virtual sensor). The Hammer stein- 
Wiener virtual sensor is the dynamical system 



\'x f it) = Ax f (t) + Bf<pf(u f (t)) + L(y f {t)-y f {t)) 



\Sf(t) =h f (c f x f (t)) 
with the initial condition Xf(0) = XfQ. 



(6.1) 



As in the linear case, the Hammerstein- Wiener virtual sensor is essentially an ob- 
server for the state of the faulty plant. It consists of a model of the faulty plant 
augmented by output error injection. 
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Definition 6.2 (Hammerstein- Wiener virtual actuator). The Hammerstein- 
Wiener virtual actuator is the dynamical system 


E A : ■ 


x(i) - Ax(t) + Bip (u c (t)) 

Ufit) = Mx A (t) + Nu c (t) (6.2) 

y c (t) =h(Cx(t)) 


with the initial condition Jc(0) = jc/o, and where Xj(t) = x(t)-Xf(t) in accor- 
dance with Equation (13.35b. o 



The virtual actuator contains a reference model for the nominal dynamics along 
with feedback of the difference between the reference state and the observed state, 
as well as feedthrough of the control input. 
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Fig. 6.1 Reconfiguration block Zr = (Z$ >£a) f° r reconfigurable control after the combined 
occurrence of actuator and sensor faults in Hammerstein-Wiener systems. 
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In order to satisfy the inactivity conditions ( 13.22b . (13.231 ) imposed on reconfigura- 
tion blocks prior to reconfiguration time, the parameters of the Hammerstein- Wiener 
virtual actuator have to satisfy M - 0, N = I, y c (t) = y/(t) before reconfiguration. At 
reconfiguration time, the parameters M and TV are determined based on the model 
of the faulty plant, and the controller is connected to the output y c (t) = Cx(f) of the 
virtual actuator. 

As a preliminary result, the reconfiguration block consisting of the Hammerstein- 
Wiener virtual sensor and virtual actuator satisfies the weak fault-hiding goal, as the 
following Lemma shows. 

Lemma 6.1 (Weak fault-hiding). The reconfigured plant (Epf,Es,EA) that con- 
sists of the faulty Hammerstein-Wiener plant ( I5.<SD , the Hammerstein-Wiener virtual 
sensor ( 16.71 ), and the Hammerstein-Wiener virtual actuator \6.2\ satisfies the weak 
fault hiding goal. 

Proof. After transformation into the coordinates of the observation error e and dif- 
ference state x A , the model of the reconfigured plant is given by the equations 



( Ht) ) 

e(t) 

XA{t)j 



Ax(t) + Bip(u c (t)) 

Ae(t)-B d d(t) 

[Ax A (t) + B<p{u c (t)) - Bf<p f (Mx A (t) + Nu c {t))) 

(hf(C f (x(t) - x A {t) - e{t))) - h f (C f (x(t) - x A (t)))) 



y c (t) =h 



I X 



(coo) 



m 

e(t) 

x A (t)) 



' x(0) " 

e(0) 

Sa(0\ 



, Xf0 

XfO - Xq 





(6.3) 



(6.4) 



This model shows that the dynamical equation for the reference state Jc is decoupled 
from the observation error e and the difference state x A . The output y c depends only 
on the state x. Stronger fault-hiding goals are not achievable, since the disturbance 
behaviour is not recovered and the correct initial condition is generally unknown 
(jc/o + xq), due to the general lack of measurements of the entire system state. ■ 

Example 6.1 (Hammerstein-Wiener virtual actuator and virtual sensor for the 
ship). The linear parts of the Hammerstein-Wiener virtual actuator ( 16.21 ) and 
the Hammerstein-Wiener virtual sensor ( I6.il ) are defined through the model ele- 
ments \4. (3D , ( 14. 91 ). The nonlinear input function ip is a saturation function ( 12.71 ) with 
the vectors of lower bounds u_ — {— 1 — 1 — \) T and upper bounds u — (1 1 l) T as 



defined in Example \5.1\ The nonlinear output function h is the identity, the virtual 
actuator is a Hammerstein virtual actuator, and the virtual sensor is a Hammerstein 
virtual sensor. 
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6.2 Main Stability Result 

The main result consists in a theorem that provides a sufficient condition for the 
solvability of Problem l5.1l and a design procedure for finding stabilising parameters 
L and M for the Hammerstein- Wiener virtual sensor and virtual actuator. The main 
theorem regarding reconfigured closed-loop stability uses the following partial re- 
sults that separately concern the observation error system 



(6.5) 



e(t) = Ae(t) -L(h f (Cf(x(t) - x A (t) - e(t))) - h f (C f (x{t) - x A (t)))) 

-B d d{t) 
e(0) = x/o - xq 

and the difference system 

^ _ (x A (f) = l(x A (f),u c (t)) 
A ' \ -L(hf(C f (x(i) - x A {t) - e(t))) - hf(Cf(m - x A (t)))) 

l(x A ,u c ) = Ax A + Bip(u c ) - B fipf(Mx A + Nu c ) (6.7) 

*j(0) = 0. 

Lemma 6.2 (Input-to-state stability of the observation error). Consider the dy- 
namics of the observation error ( 16.51 ), where the diagonal matrix Si, 6 R' ?X9 , Sh > 
reflects the sector bound ( 15.61 ) ofhf(-). Suppose that Assumption\53\holds and that 
A is Hurwitz. The observation error system E e is globally uniformly exponentially 
stable for d = and ISS w.r.t. its input d, if there exists a symmetric positive definite 
matrix X s = X T S > 0, X s e R" x ", and a matrix Y s e W xq such that the LMI 



-(A T X S + X S A) 



C T f - Y s \ 
■^—\ > (6.8) 



2Si, 



is satisfied, where L — X s Y s . 



Proof. The observation error system ( 16.5b is shown in Fig. 16.21 The Lipschitz con- 
dition on hf(-) stated in Assumption 15 . 21 guarantees that 

Vx f ,e: ||* / (x/)-*/(*/ + «)||< J R||«||. (6.9) 

The remaining stability proof consists of the verification of exponential stability of 
the unforced observation error, and the subsequent verification of the ISS property 
for the forced observation error. From Theorem 12. 5 1 it follows directly that the ob- 
servation error is asymptotically stable for d = 0. In fact, the unforced observation 



error is globally uniformly exponentially stable 11971 Proof of Theorem 7.1]. 

From the exponential stability of the unforced observation error and from 
Theorem 12.11 it follows that the unforced observation error has a Lyapunov 
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Fig. 6.2 Nonlinear observation error system. 



function V(e). The derivative of V(e) with respect to the forced observation error 
system ( 16.51 ) satisfies the relations 

V(e) =VV(e) (Ae(t) + L (h f (C f x f (t)) - h f {C f (x f (t) + «(*)))) - B d d{t)) (6.10) 

< - c 3 || e || 2 + C4ie||«|| 2 ||C/|| • ||£|| + c 4 \\e\\ • \\B d \\ ■ \\d\\ 

for C3,C4 > due to the Lipschitz property ( 16.9b and Theorem 12. II The first term 
-C3||e|| 2 is obviously always negative. Using the parameter 6 e (0, 1), the inequality 
is rewritten as 

V(e) < - C3(l - 0)\\e\\ 2 - ci0\\e\\ 2 + c 4 /?IIe|| 2 ||C / || • ||L|| + c 4 ||«|| • \\B d \\ -\\d\\ 

„2 :*„.,.. C 4ll^H 



<-(l-0) Ci \\e\\ z 



iflkll> 



ecs-c^llC/H-IILH 



llrfll- 



Theorem l2.2l is used with a\(r) - c\r 2 , a2(r) - cij 1 , W(e) = (1 -#)c3|H| 2 and p(r) = 
(c4||Brf||/(c3#- C4/?||C/|| ■ ||L||))r to conclude that the observation error system (16.5b is 
globally ISS w.r.t. the input d, where y{r) = yfcJcl(c4.\\B d \\/(c3e-c 4 R\\Cf\\ ■ ||£|I))r 
for ct,6 - c<xR\\Cf\\ ■ \\L\\ > 0. This completes the proof. ■ 

The following lemma concerns the difference system. 

Lemma 6.3 (Input-to-state stability of the difference system). Consider the dy- 
namics of the difference system ( 16.61 ), where the diagonal matrix Sm € R mxm , S,p>0 



reflects the sector bound ( 15.51 ) oftpf(-). Suppose that Assumption \53\ holds and that 
A is Hurwitz. The difference system E^ is globally uniformly exponentially stable 
for u c = and e = as well as ISS w.r.t. its input (u c ,e), if there exists a symmetric 
positive definite matrix X a — X T a > 0, X a € H" x ", and a matrix Y a e M mxn such that 
the LMI 



-{AX a + X a A T ) 



B 



2S B 



>0 



(6.11) 



is satisfied, where M — Y a X a . 
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Proof. The unforced difference system Sa defined in Equation (16.61 1 (e = and 
u c = 0) is a standard linear system with nonlinear feedback that can be graphically 
represented as shown in Fig. 16. 31 Theorem l2.5l implies that the LMI 



-(A'X + XA) 



M 1 -XB 



2S U 



> 0, X = X 1 > 



(6.12) 



is sufficient for the unforced difference system to be globally asymptotically sta- 
ble. From this LMI, the LMI (16. 1U is obtained as follows. Application of Schur 
complements to the above LMI leads to the equivalent set of LMIs 

2S V > and - (A T X + XA) - (M T - XB f ){2S 9 )~ l {M-B T f X) > 0. 

Application of the congruence transformation X a = X~ l from left and right brings 
the set of inequalities into equivalent form 

28^ > and - (X a A T + AX a ) - (X a M T - B/)^) -1 (MX a - B T f ) > 0, 

which is brought into the stated form by means of the substitution Y a - MX a and 
reverse Schur complements: 



-(X a A T + AX a ) 



B ti > 0, X a = X T a > 0. 



2S S 

From Theorem l2.5l the unforced difference system is globally asymptotically stable 
and globally uniformly exponentially stable J97L Proof of Theorem 7.1]. 
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Fig. 6.3 Nonlinear difference system. 



From Theorem l2.ll it follows that the unforced (u c = 0,e = 0) difference system 
has a Lyapunov function V{xa)- The derivative of V(xa) with respect to the forced 
difference system (16.61 1 satisfies the relations 



V(x a )=VV(xa)1(xa,0) + VV(xa)(1(xa,u c )-1(x a M 

- VV(xA)L(hf(C f (x -x A - e)) - h f (Cf(x - x^))) 
< - C3||x^|| 2 + c 4 ||x^|L||« c || + cML\\ ■ IIC/H ■ \\xa\\ ■ \\e\\ 



(6.13) 
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for C3,C4 > due to the Lipschitz property ( 15.1b and Theorem 12. II where the func- 
tion / is defined in Equation (16.7b . Using the parameter 8 e (0, 1), the inequality is 
rewritten as 

V(x A ) < - (1 - 0)c 3 \\x A \\ 2 - 6c 3 \\x A \\ 2 + c 4 ||x^||L||ii c || + c A R\\L\\ ■ \\C f \\ ■ \\x A \\ ■ \\e\\ 

„ m l|2 .... .. c 4 (L|| Mc ||+7?||L||-||C / |HMI 

<-(l-6)c 3 \\x A \\ z , if\\x A \\> 



c 3 6 

Theorem l2~2l is used with a\(r) - c\r 2 , a2(r) = c^r 2 , "Wix^ - (1 - 6)c3\\x A \\ 2 , p u (r) = 
(c 4 L/(cj0))r, and p e (f) - (c4,R||L|| • \\Cf\\/(cj,8))r to conclude that the difference sys- 
tem ( 16.6b is globally ISS w.r.t. the input u c , where y u (r) - y[c2fc\(c 4 LI cj8)r, and 
w.r.t. the input e, where y e {r) - -\/c2/ci(c 4 R\\L\\ • \\Cf\\/cj,8)r. This concludes the 
proof. ■ 

The LMI conditions ( 16.8b and (16.11b each impose a passivity constraint on a cer- 
tain linear subsystem. The conditions guarantee that the nonlinear input and output 
functions tp(-) and /?(■) do not destroy stability. The main result is expressed in the 
following theorem, which provides the solution to Problem |5 . 1 1 Its proof, which 
uses the Lemmas |6 . 21 and [631 is found in the appendix due to its technical nature. 



Theorem 6.1 (Reconfigured closed-loop stability recovery). Consider the re- 
configured closed-loop system ( 15.<Sb , ( 15.41 ), H6.lt ( 16.21 ) (Fig, 16.7b . where the di- 
agonal matrices S^ € R mxm , So, > 0, and St, 6 IR' ?X ' ? , S/, > reflect the sector 
bounds ( 15.51 ) and ( 15.6b ofipf(-) and /&/(•)■ Suppose that Assumption \5.3\ holds 
and that A is Hurwitz. The reconfigured closed-loop system is ISS w. r. t. its input 
(r, d), if there exist symmetric positive definite matrices X s — X T S > 0, X s € R" Xn 
and X a = X T > 0, X a e R nxn , as well as matrices Y s e K" x « and Y a e R mxn such 
that the LMIs ( 16.81 ) and ( 16.77b are satisfied, where L - Xj Y s and M - Y a X~ l . 



Proof. See Appendix iDl page |259l 

Remark 6. 1 (High-gain virtual sensor). The proof of Lemma 16.21 suggests that a 
high-gain virtual sensor can reduce the persistent observation error caused by distur- 
bance excitation. The construction of an ISS Lyapunov function for the observation 
error shows that the observation error e decreases over time whenever 

,, .. . c 4 \\B d \\ 

dc3-c 4 R-\\Cf\\-\\L\\ 

The attraction radius (c 4 \\B d \\)/(dc 3 - c 4 R ■ \\C f \\ ■ \\L\\)\\d\\ for given \\d\\ depends on 
the term 0c?, - c 4 R ■ \\C/\\ ■ \\L\\, which can have either positive or negative sign. The 
constants cj, > 0, c 4 > 0, R > 0, and ||C/|| are defined through system properties, 
whereas the gain L is a free parameter that can be used to change the sign of the 
term 6c?, - c 4 R ■ \\C/\\ ■ \\L\\ from positive to negative. A negative sign means that 
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the observation error will always decrease. It should, however, be kept in mind 
that high-gain observers suffer from noise amplification, limiting their practical 
applicability. o 



Algorithm ^, ll summarises the procedure of obtaining the reconfiguration solution in 
a real-time setup. The steps 1-3 describe the nominal closed-loop operation before 
any faults occur. Once faults are detected in step 4, the design of the Hammerstein- 
Wiener virtual sensor and the Hammerstein- Wiener virtual actuator occurs in steps 
5-7, where the gains L and M are designed. This step always succeeds. After com- 
pleted gain calculations, the reconfigured closed-loop system is executed in step 8, 
starting at reconfiguration time / = 0. 

Algorithm 6.1. Stabilising Hammerstein- Wiener virtual actuator and sensor 
Require: A, B, C, <p, h, xq, X/q 

1: Initialise the nominal closed-loop system J5.ll ), ( 15.4b . J6.ll ) with Bf -B,Cf- C, 
iff - ip, hf - h, M - 0, L - 0, N = /, jc(ro) = xq, jc/(/o) = Jt/o. x(0) = jc/o, 
deactivate the reconfiguration block by setting y c (t) = y(t) 

2: repeat 

3: Run the nominal closed-loop system 

4: until actuator or sensor fault / detected and isolated 

5: Construct the actuator fault model Bf, <pf, the sensor fault model Cf, hf, the 
sector bounds S v , S/,, and update the Hammerstein- Wiener virtual sensor (16.1b 
and the Hammerstein- Wiener virtual actuator ( 16.2b 

6: Compute feasible solutions (X a ,Y a ), (X S ,Y S ) of the linear matrix inequali- 
ties ( PI ) and ( r&TTTT ) 

7: Update the Hammerstein- Wiener virtual sensor (16.1b with L - X^Yg and 
x/(0) = JC/o, and the Hammerstein- Wiener virtual actuator with M - Y a X~ l 
and x(0) = jc/(0) 

8: Run the reconfigured closed-loop system 
Result: Globally ISS reconfigured closed-loop system (15.8b . ( 15.4b . ( 16.1b , (16.2b 

The initialisation problem for the reference system Zp at reconfiguration time 
can be eased by first updating the observer, and waiting for a certain time period for 
the observer state to converge towards the true state. After the waiting period, the 
momentary value of jtf may be used for initialising x. 

Example 6.2 (Synthesis of Hammerstein- Wiener virtual sensor and virtual ac- 
tuator for the ship). Given the linear elements ( 14.81 ), ( 14.9b of the Hammerstein 
model, Lemma \&2\ and Lemma \63\ are applied to the gyro sensor failure f\ and the 
rudder failure fj. 

The design of the virtual sensor requires the synthesis of an observer gain L 
according to Lemma \6.2\ In other words, a feasible solution of the LMI ( 16.81 ) is 
sought. The gyro sensor failure is modelled by means of the faulty output matrix Cf 
defined in Equation \4.16\ of Example \4.2\ Since the nonlinear input function is a 
saturation (ip — sat), the parameter S v — I is the identity. The numerical search for 
a solution of the LMI ( 16.81 ) leads to the result 
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L = 



0.32 
0.0001 0.0001 2.724 
0.0001 0.0001 -7.14 
-0.0002-0.0002 97.5, 



(6.14) 



This result can be interpreted as follows. The yaw rate is represented in the third 
system state component, and the third column of the matrix L shows that primarily 
the heading information is used to update the observer yaw rate state. The surge 
and sway velocities are also used with smaller gains. 

The design of the virtual actuator amounts to the synthesis of a feedback gain 
M according to Lemma 16.31 In other words, a feasible solution of the LMI ( 16.771 ) 
is sought. The rudder failure is modelled by means of the faulty input matrix Bf 
defined in Equation i\4.17\) of Example \4.2\ Since the nonlinear input function is a 
saturation (ip — sat), the parameter S v — I is the identity. The numerical search for 
a solution of the LMI ( 16.771 ) leads to the result 



(1.54 -0.42 0.54 0.05 



M=10" z 



1.54 




0.42 




-0.54 




-0.05 




(6.15) 



whereas the feedthrough gain N was arbitrarily set to the identity N — 13. The result- 
ing matrix M can be interpreted as follows. The last row is zero, which means that 
the failed rudder is not used. The first and second rows mean that a too small yaw 
velocity and too small heading cause the left thruster to increase its force and the 
right thruster to decrease its force, which causes a right turn and thereby decrease 
the mismatch between nominal and faulty yaw rate and heading. 



6.3 Duality between Hammerstein- Wiener Virtual Sensor and 
Hammerstein- Wiener Virtual Actuator 



The synthesis procedures for the Hammerstein-Wiener virtual sensor (16. U and the 
Hammerstein- Wiener virtual actuator ( 16.2b are closely linked by duality. 



Theorem 6.2 (Duality between the Hammerstein-Wiener virtual sensor 
and the Hammerstein-Wiener virtual actuator). Any solution L to the 
Hammerstein-Wiener virtual sensor design problem for the pair (Cf,A) also 
parameterises a corresponding solution M to the Hammerstein-Wiener virtual 
actuator design problem for the pair {A T ,C T l ). The solutions L and M are 

linked by means of the relation L — -M T . 



Proof. See Appendix iDl page !262l 
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This result means that the duality property linking the linear virtual sensor to the 
linear virtual actuator is also true in the case of Hammerstein-Wiener systems. The 
duality holds in the sense that an approach for obtaining suitable gains for one sys- 
tem can be used to obtain suitable gains of the other system. 

6.4 Special Case: Hammerstein Systems and Actuator Faults 

In this section, the special case of actuator faults in Hammerstein systems without 
output nonlinearity (here given immediately with faulty parameters) 



i Pf : 



x f (t) = Ax f (t) + Bfipf (k/(0) + B d d(t) 

y f (t) =Cx f {f) (6.16) 

z f (t) =C z x f (t), 



which is obtained from the Hammerstein-Wiener system (15.1b by setting h(y) - y, 
is discussed. The reconfiguration block simplifies from 2n dimensions to n dimen- 
sions. The robustness of the reconfigured closed-loop system against uncertainties 
in the model of the faulty system is analysed, and it is shown that the reconfiguration 
solution is state-feedback universal. 

Simplified Reconfiguration Block 

In Hammerstein systems ( 16.16b . the measurements are not distorted. Furthermore, 
the output matrices in the virtual sensor and the virtual actuator are identical due 
to the assumed absence of sensor faults, and the reference model in the virtual ac- 
tuator and the model in the observer differ only with respect to the input function 
<p(-) and the input matrix B. Therefore, the superposition principle can be applied 
except for the input parts of the models. After removing the output error injection 
gain from the virtual sensor, the latter becomes an open-loop predictor that can be 
merged with the reference model into a single system of the same dimension n as 
the plant, namely into a Hammerstein virtual actuator, which closely resembles its 
linear counterpart ( 14.491 1 since its state directly represents the difference system, see 
Fig. [631 



Definition 6.3 (Hammerstein virtual actuator). The Hammerstein virtual ac- 
tuator is the dynamical system 



with the initial condition x A (0) = 0. 



'x A (t) = Ax A (t) + B<p(u c (t)) - B f <p f (Uf(ty) 

u f (t) = Mx A (t) + Nucit) (6.17) 

ydt) = y f (t) + Cx A (t) 
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Fig. 6.4 Reconfiguration block for reconfigurable control after actuator faults in Hammer- 
stein systems. 

Due to this simplification, it turns out that the Hammerstein virtual actuator satisfies 
not only the weak fault-hiding goal, but even the strict fault-hiding goal, as the 
following Lemma shows. 

Lemma 6.4 (Strict fault-hiding). The reconfigured plant Ep r - {Epf,EA) that con- 
sists of the faulty Hammerstein system ( 16.761 ) and the Hammerstein virtual actua- 
tor \6.17\ satisfies the strict fault hiding goal for arbitrary values of the parameters 
M and N. 

Proof. After transformation to the state x = Xf+Xj, the reconfigured plant d5.8l ). 
( 16.171 ) results in the following transformed reconfigured plant model Ep r : 



(yf(t)\Jc-c\(m\ (x(0) 

\y c (t) \C \xj(t)' \x A (0) 



(6.19) 



The nominal controller is attached to the system 



j x(t) = Ax(t) + Bip{u c (t)) + B d d(t) 
\y c (t) =Cx(t) 

x(0) - XQ + XAO - Xq 



(6.20) 
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by means of the input u c and the output y c . This system equals the nominal plant 
model ( 16.16b up to renaming the state, including the replication of the disturbance 
effect. It has hence been shown that strict fault-hiding is reached for the initial con- 
dition jc^o = of the virtual actuator. ■ 

The difference system is now governed by the dynamics 

E A : [x A {f)= l(x A (t\u c {t)) (6.21) 

l(x A ,u c ) - Axj + B<p(u c ) - Bf<pf(Mx A + Nu c ) 
x A (0) = 

that is simpler than the dynamics of the difference system (16.61 ). 

The conditions under which the Hammerstein virtual actuator stabilises the re- 
configured closed-loop system are stated in the following corollary to Theorem l6.ll 
which gives a solution to Problem [57T] for Hammerstein systems subject to actuator 
faults. 

Corollary 6.1 (Reconfigured closed-loop system stability). Consider the recon- 
figured closed-loop system ( 15.81 ), ( 15.41 ), ( 16.771 ) (Fie, \6.4i , where the faulty plant has 
only actuator faults (Cf — C, hf = h), and where the diagonal matrix S^ 6 W lXm , 
Sip > reflects the sector bounds ( 15.51 ) of <ff(-). Suppose that Assumption 1531 holds 
and that A is Hurwitz. The reconfigured closed-loop system is ISS w.r.t. its inputs 
(r, d), if there exists a symmetric positive definite matrix X a — X T a > 0, X a € R" Xn , 
and a matrix Y a e R mX " such that the LMI ( 16.771 ) is satisfied, where M = Y a X^ 1 . 

In other words, only one LMI has to be solved in order to find the stabilising gain 
M instead of two. 

Example 6.3 (Hammerstein virtual actuator synthesis for the ship). Given the 
linear elements (\4.8[ , \4.9\ of the Hammerstein model, Aleorithm \6.1\ is applied to 
the rudder floating failure f$ combined with a reduction of the actuation range fiifor 
the left thruster. The response of the nonlinear ship model subject to abrupt rudder 
failure at tf = 20 s is shown in Fig. 16.51 The times < t < t f — 20 s correspond to the 
steps 1 to 4 of the algorithm describing the situation without faults, where the virtual 
actuator is inactive. At the time tf = 20 s, the rudder fails in floating condition, and 
the left thruster undergoes a reduction of its maximum thrust force to 60% of its 
nominal force. The fault is immediately detected and isolated in step 4, the model of 
the faulty system is constructed in step 5, and the virtual actuator parameter M is 
calculated in step 6, with the result given in Equation ( 16.751 ) and brought into effect 
in step 7. A wind disturbance d appears at t = 30 s. Fig. \6.5\ shows that the system is 
indeed stable (the sway velocity approaches the origin for t > 100 s). The reduction 
of the left thruster (u\) maximum force is clearly visible, since its signal is cut off at 
0.6. However, the functioning control inputs are hardly used since the matrix M has 
a very small gain and the setpoints for surge velocity and heading are not reached. 
Fig. 16.61 shows the motion of the ship with reconfigured controller, which is ca- 
pable of avoiding the obstacle. However, it does not return to its old course after 
avoiding the obstacle, therefore the solution is not yet satisfactory. 
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Fig. 6.5 Response of nonlinear ship subject to rudder failure with control reconfiguration by 
means of stabilising Hammerstein virtual actuator. 



Robust Stability 

Suppose that only uncertain models (pf and Bf of the true faulty nonlinear function 
<p and the true faulty input matrix Bf are available. The uncertainties can be, for 
example, due to imperfections of the fault diagnosis component. It is shown in this 
section that, based on the robustness of the nominal closed-loop system, the control 
reconfiguration approach is robust with respect to bounded uncertainties 



6tpf(u) = Bfipf(u) - Bf<pf(u). 



(6.22) 
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Fig. 6.6 Motion of nonlinear ship subject to rudder failure with control reconfiguration by 
means of stabilising Hammerstein virtual actuator. 



Consider the following modified model of the transformed reconfigured plant 
(EH , dQ9l) . 



Ep 



x(t) = AJe(f) + [B f <p f (Mx A (t) + Nu c (t)) - B f <p f (Mx A (t) + Nu c (t)j\ 
+B<p(u c (t))+B d d(t) 

Z A ■ [x A (t) = Ax A (t) - B f 0f (Mx A (t) + Nu c (t)) + B<p(u c (t)) . 



(6.23) 
(6.24) 



Clearly, Equation ( I6.23b shows that the fault-hiding property and the separation 
property do no longer hold. Consequently, the quantity x A does no longer allow the 
interpretation as the difference between the nominal and the faulty state. The sta- 
bility properties of the difference system (I6.21l i/( l6.24l l. which remains unchanged, 
however still hold, as long as the sector-bound for <pf is correctly known. 

The nonlinear separation principle of cascade-interconnected ISS systems does 
no longer apply, because the cascade structure is lost. However, Equations ( 16. 23b 
and ( 16.24b can be represented as a feedback interconnection of two systems E\ and 
£2 shown in Figure I6T71 Let 

P4lLc 2 =j3l, 



and 



\\MC2 = 02 
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Fig. 6.7 Redrawn uncertain reconfigured closed-loop Hammerstein system. 



denote the Jji gains of the modified nominal closed-loop system E\ defined by the 
nominal plant model ( 16.231 1 and the controller (15.4b . and the difference system £2 
defined by Equation ( 16.241 ). From the small gain theorem l2~3l the following result 
immediately follows. 



Theorem 6.3 (Robust Hammerstein virtual actuator). The reconfigured 
closed-loop system ( 15.81 ). ( 15.41 ), ( 16.771 ) is robustly stable against uncertain- 



ties A6.22[ in the nonlinear function <pf, iffiifc < 1 holds. 



Assuming that the gain of the nominal closed-loop system (S\, upper block in 
Fig. 16. 71 ) from the fictitious disturbance input 6<pf to the control input u c is finite, the 
uncertain loop is always stable if the model uncertainties 6<p/ are sufficiently small. 
This insight is gained from consideration of £2 (see Fig. 16.71 ) and by recognising the 
fact that 6<pf is the output of £2- This theorem shows the robustness of the concept 
of the virtual actuator with respect to model uncertainties. 

Remark 6.2 (Relation to nominal robustness). It seems that the robust stability of 
the reconfigured closed-loop system does not depend on the nominal robust stabil- 
ity. This surprising result is due to the fact that the Hammerstein virtual actuator 
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implicitly introduces the nominal system model with the model function (p as a ref- 
erence model. Its relationship to the true unknown function <p does not appear. On 
the other hand, the system £2 in Fig. l6.7l mav be interpreted as a parallel uncertainty 
of the input path in the nominal system. With this interpretation, the robustness of 
the reconfigured closed-loop system against uncertainties in Bf and iff requires a 
certain level of nominal robustness against uncertainty in B and <p. o 

State-Feedback Universality 

In this section, it is shown that the choice of the fault-hiding approach in general 
and the Hammerstein virtual actuator in particular are not restrictive for solving the 
stability recovery problem for Hammerstein systems subject to actuator faults. First, 
the notion of state-feedback universality is defined. 

Definition 6.4 (Linear state-feedback universality). A reconfigurable control 
scheme S is called linear state-feedback universal for the class of Hammerstein 
systems subject to actuator faults, if there exists no stabilising linear state-feedback 
controller Uf(t) - Kxfif) for the faulty plant ( 15.81 ) whenever the plant ( 15.8b with 
actuator faults is not stabilisable with S . 



Theorem 6.4 (Linear state-feedback universal Hammerstein virtual ac- 
tuator). The reconfigurable control scheme £cr — (£a,£c) defined by the 
Equations ( 15.41 ), ( 16. 1 7\ with the stabilisability condition ( 16.771 ) is linear state- 
feedback universal for Hammerstein systems subject to actuator faults. 



Proof. See Appendix ID1 page !262l 

The proof shows that the problems of linear state-feedback synthesis and virtual 
actuator synthesis are equivalent. The proof does not depend on the chosen stabil- 
isation technique and is therefore not conservative. It should be stressed that the 
universality statement is limited to linear state feedback. The application of nonlin- 
ear state-feedback control eases the stabilisation task if the input characteristic <p is 
invertible. However, saturation functions do not admit a global inverse. 



6.5 Special Case: Hammerstein- Wiener Systems and Sensor 
Faults 

Simplified Reconfiguration Block 

In the case of pure sensor faults, the Hammerstein- Wiener virtual sensor Es de- 
fined in Equation ( 16.1b is used with the simplifications Bf - B and tpf(-) = <p(-) (see 

FigS. 
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Fig. 6.8 Reconfiguration block for reconfigurable control after sensor faults in Hammerstein- 
Wiener systems. 



Lemma 6.5 (Asymptotic fault-hiding). The reconfigured plant (Zpf,Es) that con- 
sists of the faulty Hammerstein-Wiener system ( 15.81 ) with sensor faults (Bf — 
B,iff(-) — <p(-)) and the Hammerstein-Wiener virtual sensor ( 16.71 ) with Bf — B and 
<Pf(-) — ip(-) satisfies the asymptotic fault hiding goal for all choices of L that make 
the observation error globally asymptotically stable for d = 0. 

Proof. After transformation to the observation error e - x/ - Xf, the dynamics of 
the reconfigured plant is given by the equations 



Xf(t) 

eit) 



yMJ 



A ° \ [*/«>» + (?) (hfQCfXfit)) - h f (C f (Xf(t) + e(t))) 



e(t) 
<p(u c (t)) 






A 

hfCCfXf®) \ 

h(C(x f {t) + e{t)))y 



d(t), 



x f (0) 
e(0) 



XfQ - Xq 



(6.25) 
(6.26) 
(6.27) 



Clearly, the controller connected to the output y c sees entirely nominal dynamics 
for e(t) - 0, which is asymptotically achieved for globally asymptotically stable 
observation error dynamics. ■ 



The following corollary to Theorem 16.11 provides sufficient conditions on L which 
guarantee that the observation error is globally asymptotically stable for d = Q and 
ISS w.r.t. d. 
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Corollary 6.2 (Reconfigured closed-loop system stability). Consider the recon- 
figured closed-loop system ( I5.<SD , ( 15.41 ), ( I6.il ) (Fig. \6.8i , where the faulty plant has 
only sensor faults (Bf — B, <Pf — if), and where the diagonal matrix Sh 6 JR mx '", 
Sh > reflects the sector bounds ( 15.61 ) of hf(-). Suppose that Assumption [PI holds, 
that A is Hurwitz. The reconfigured closed-loop system is ISS w.r.t. its input (r,d), 
if there exists a symmetric positive definite matrix X s — X T S > 0, X s e R" x ", and a 
matrix Y s 6 W XCI such that the LMI H6.8[ is satisfied, where L - Xj 1 Y s . 

In other words, only one LMI has to be solved to find the stabilising gain L instead 
of two. 



Example 6.4 (Hammerstein-Wiener virtual sensor synthesis for the ship). 

Given the elements ( 14.81 ), ( 14.91 ) of the linear model, Aleorithm \6.1\ is applied to the 
gyro sensor failure f\. The response of the nonlinear ship model subject to abrupt 
gyro sensor failure at tf = 20 s is shown in Fig. 16.91 The times < t < t f — 20 s cor- 
respond to the steps 1 to 4 of the algorithm describing the situation without faults, 
where the virtual sensor is inactive. At the time tf — 20 s, the gyro sensor fails. The 
fault is immediately detected and isolated in step 4, the model of the faulty system 
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Fig. 6.9 Response of nonlinear ship subject to gyro sensor failure with control reconfigura- 
tion by means of stabilising Hammerstein-Wiener virtual sensor. 



6.5 Special Case: Hammerstein-Wiener Systems and Sensor Faults 



115 



is constructed in step 5, and the virtual sensor parameter L is calculated in step 6, 
with the result given in Equation \6.14\ . and brought into effect in step 7. 

Fig. \6.9\ shows the true surge, sway, and yaw velocities as well as the estimates 
for surge and yaw velocity. The figure demonstrates that the virtual sensor provides 
good estimates that permit the controller to steer the ship away from the obstacle, 
as Fig. \6.10\ clearly shows. However, the wind disturbance becoming effective at 
t = 30 s cannot be compensated, and the state estimate deviates from the true values. 
The stronger the wind is, the larger the observation error becomes. 
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Fig. 6.10 Motion of nonlinear ship subject to gyro sensor failure with control reconfiguration 
by means of stabilising Hammerstein-Wiener virtual sensor. 



Robust Stability 

Suppose that the output model of the Hammerstein-Wiener system is subject to 
uncertainties of the nonlinear output function 



5hf(x) - hf(Cfx) -hf(Cfx). 



(6.28) 



Such an uncertainties are likely to arise due to imperfections of the fault diagnosis 
component. The uncertainties modify the dynamics of the observation error (16.5b 
for the case of pure sensor faults to 

E e : [e(t) = Ae(t) +L(h f (C f Xf(i)) - h f (Cf(x f (t) + e(f)))) - B d d(t) (6.29) 
e(0)=£/n-*o- 
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The following theorem states that the closed-loop stability properties do not change 
in the case of model uncertainties, if the uncertain output function satisfies a robust 
Lipschitz condition. 



Theorem 6.5 (Robust Hammerstein- Wiener virtual sensor). The recon- 
figured closed-loop system ( 15.81 ), ( 15.41 ), ( 16.71 ) subject to sensor faults is robustly 
stable against uncertainties ( I6.2<SD in the nonlinear function hf and the output 
matrix Cf, if there exists numbers Rq > and R > such that the uncertainties 
satisfy the robust Lipschitz condition 

Vx,e: \\hf(Cfx)-h f (Cf(x + e))\\<R +R\\e\\. (6.30) 



The proof closely follows the proof of Lemma l6T2 
Proof. See Appendix IDl page !262l 



Due to the robustness property, modeling errors in the output matrix and nonlinear 
output function made by the diagnosis component are tolerated by the virtual sensor 
with respect to stability. The larger the uncertainties are, the larger the persistent 
observation error is. 



Output-Injection Universality 

In this section, it is shown that the choice of the fault-hiding approach in general and 
the Hammerstein- Wiener virtual sensor in particular are not restrictive for solving 
the stability recovery problem for Hammerstein-Wiener systems subject to sensor 
faults. The notion of output-injection universality is defined as follows. 

Definition 6.5 (Output-injection universality). A reconfigurable control scheme 
S is called output-injection universal for the class of Hammerstein-Wiener systems 
subject to sensor faults, if there exists no stabilising linear output-injection controller 
x/(t) - Axf(t) + Kyf(t) for the faulty plant d5.8l l whenever the faulty plant ( 15.81 ) is 
not stabilisable with S . o 



Theorem 6.6 (Output-injection universal Hammerstein-Wiener virtual 
sensor). The reconfigurable control scheme Ecr — C5s >^c) defined by the Equa- 
tions ( 15.41 ), H6.ll with the stabilisability condition ( 16.81 ) is output-injection uni- 
versal for Hammerstein-Wiener systems subject to sensor faults. 



Proof. See Appendix IDl page !263l 
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The proof is conducted by showing that the problems of output-injection synthe- 
sis and virtual sensor synthesis are equivalent. As previously in the case of state- 
feedback universality of virtual actuators, the proof does not depend on the chosen 
stabilisation technique and is therefore not conservative. 



6.6 Summary and Discussion 

In this chapter, the stability recovery problem has been solved for the class of 
Hammerstein- Wiener systems subject to actuator and sensor faults modelled by 
means of modified input and output matrices and modified respective nonlinear 
functions (Theorem l6.1b . A synthesis procedure has been given to determine stabil- 
ising gains of the Hammerstein-Wiener virtual sensor and the Hammerstein- Wiener 
virtual actuator (Algorithm l6.ll ). Two interesting special cases have been separately 
analysed: actuator faults in Hammerstein systems and sensor faults in Hammerstein- 
Wiener systems. 

It has been shown that the concepts of Hammerstein virtual actuators and 
Hammerstein-Wiener virtual sensors are robust with respect to modelling errors in 
the faulty nonlinear input and output functions (Theorem 16.31 Theorem 16.5b . Fur- 
thermore, it was shown through universality properties that the choices of virtual 
sensors and virtual actuators as reconfiguration approaches are not restrictive (The- 
orem [631 Theorem 16.61 ). The universality results are independent of the synthesis 
techniques for virtual actuators and state-feedback controllers on the one hand and 
virtual sensors and output-injection controllers on the other hand. Therefore, any 
novel state-feedback synthesis technique that is less conservative than the absolute 
stability technique chosen in this chapter can also be applied to the synthesis of vir- 
tual actuator gains. A similar statement is true for the problems of virtual sensor and 
output injection gain synthesis. 

Clearly, the robustness properties derived for the Hammerstein virtual actuator 
and the Hammerstein-Wiener virtual sensor also apply to their linear counterparts, 
which are special cases of the nonlinear versions considered in this chapter. The 
found stability robustness against uncertainties in the model of the faulty plant is 
crucial, since the models coming from fault diagnosis components are often con- 
siderably more uncertain than models derived from first principles modelling, para- 
meter identification, or black-box identification with the engineer in the synthesis 
loop. 

The synthesis problems of finding stabilising gains for the Hammerstein-Wiener 
virtual actuator and virtual sensor turn out to be dual. However, the symmetry be- 
tween the virtual actuator and sensor also has limitations, as shown in the robust- 
ness analysis. The Hammerstein virtual actuator is small-gain robust, whereas no 
small-gain condition was needed for the virtual sensor. The broken symmetry is ex- 
plained by the different entities processed by the virtual actuator and virtual sensor: 
information in the case of the virtual sensor, and energy in the case of the virtual 
actuator. The rerouting of control energy to adequate actuators is unavoidable for 
control, which explains the small-gain condition. Furthermore, the measured output 
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provided to the nominal controller is entirely based on the state estimate in case of 
the Hammerstein- Wiener virtual sensor. The faulty measured output is not directly 
fed through. 

With respect to the requirements stated in Chapter [T31 the method is suitable 
for autonomous online application, provided that the stated synthesis LMIs can be 
autonomously solved. Given the current computational power, it is numerically ap- 
plicable to small and medium sized problems. The established robustness properties 
are particularly important to safeguard against inaccurate models derived by the 
fault diagnosis component. 

This chapter has entirely focused on the recovery of stability. The ship example 
has, however, well demonstrated that stability alone is not sufficient for applicable 
reconfiguration solution. The following two chapters thus discuss the recovery of 
asymptotic setpoint tracking and the recovery of nominal performance properties. 



Chapter 7 

Setpoint Tracking Recovery after Actuator 

Faults in Saturated Systems 



Abstract. This chapter gives the solution to the tracking recovery problem after 
actuator faults in saturated systems. The solution extends the stabilising reconfig- 
uration solution to achieve tracking of constant setpoints. Feasible setpoints that 
can be reached by the faulty plant are characterised, and it is shown that a suitably 
designed saturated virtual actuator ensures that they be reached. It is furthermore 
shown how infeasible setpoints are mapped to feasible ones. 



7.1 The Setpoint Tracking Problem 

This chapter describes a solution to the constant setpoint tracking recovery prob- 
lem 15.21 as an extension to the stability recovery solution of the previous chapter. 
The extension is described for the class of saturated systems subject to actuator 
faults, which is a special class of Hammerstein systems where the nonlinear input 
function is a saturation function. 

The tracking problem is affected by faults in two ways: 

• Actuator failures typically reduce the available degrees of freedom for indepen- 
dently controlling all outputs, such that after the fault, an output vector with 
reduced dimension is independently assignable. 

• Even if the tracking output dimensions may remain unchanged, the reachable 
set in the output space is generally reduced due to the fault, for example, because 
of smaller actuation ranges. 

This chapter is entirely based on the following assumption. 

Assumption 7.1 (Input saturation functions). The nonlinear functions <p(-) and 
<Pf(-) of the systems ( I5.il ), ( 15. SI ) are pure saturations <p(u) — sat(u,u,u), and 
(Pf(uf) - sat(M ,,«/,«/). 

The assumption includes tightened saturation bounds caused by actuator faults, but 
it excludes changes of the slope in the sensitivity range. Between saturation limits, 
the nominal and faulty saturation functions must be identities. 
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The class of systems considered in this chapter is thus the class of nominal satu- 
rated systems 



x(i) - Ax(t) + B sat(u,u,u c (tj) + B d d(t) 
y(t) =Cx(f) 
z(t) =C z x(t) 

x(0) = x , 



(7.1) 



first defined above in Definition ( 15.21 ). The class of saturated systems subject to 
actuator faults is 



v/ : 



Xf(t) - Ax f(t) + B f sat(u f ,u f,Uf(t)) + Bdd(t) 
y f (t) =CfX f (t) 
z f (t) =C z x f (t) 
jc/(0) = xo, 



(7.2) 



first defined above in Equation | |5.9| |. The following property of the nominal and 
faulty saturated plants is assumed. 

Assumption 7.2 (Finite static gain). The linear part of the nominal saturated sys- 
tem i7.lt and the linear part of the faulty saturated system ( I7.2D have finite static 
gains from the saturated control input to the relevant outputs z and Zf- 



\\C z A- l B\\<oo 
\\C z A- l B f \\< oo. 



(7.3) 
(7.4) 



Throughout this chapter, the Hammerstein virtual actuator is specialised as a satu- 
rated virtual actuator defined as follows (Fig. 17.11 ). 



Definition 7.1 (Saturated virtual actuator). The saturated virtual actuator is 
the dynamical system 


£a ■ • 


xj(t) - AxA(t) + Bsat(u,u,u c (t))-Bfsat(u f ,Uf,Uf(t)\ 

u f (t) =Mx A (t) + Nu c (t) (7.5) 

Mt) =y f (t) + Cx A (t) 


with the initial condition x^O) = 0. o 



The tracking recovery problem is restricted to the relevant outputs z and Zf of the no- 
minal and faulty systems d7.lt and ( 17.21 ). The dimension of independently assignable 
outputs dim(z/) depends on the remaining degrees of freedom after the fault. With 
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Fig. 7.1 Reconfiguration block for reconfigurable control after actuator faults in saturated 
systems. 



these assumptions, the reconfiguration problem solved in this chapter consists in 
solving Problem [5.2l which may be reformulated as follows. 

Lemma 7.1 (Setpoint tracking recovering saturated virtual actuator). Given a 
stabilising gain M according to Corollarv \6.1\ Problem \5.2\ is equivalent to finding 
the gain N of the saturated virtual actuator ( 17.51 ) such that 



(7.6) 



Vu c (i) = u c p(t) : lim z(t) - Zf(t) = 0. 



In other words, the output zj(f) — z(t) - Zfif) - C z x(t) - C z Xf(t) - C z XA{t) should be 
statically decoupled from the input u c (t). 

The solution for saturated systems is organised as follows. The solution is pre- 
pared by defining several relevant poly topes and their relations in Section ITTZl The 
main result regarding the recovery of nominal tracking properties is stated in Sec- 
tion |73] A setpoint supervision approach that maps infeasible equilibria to feasible 
ones is described in Section 17741 



7.2 Concept for Setpoint Tracking Recovery 

The solution to Problem [5 . 21 starts with the solution to the linear problem. The basic 
idea for extending the linear solution to saturated systems consists in describing the 
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saturations as polytopes restricting the input space, instead of describing them as 
nonlinear functions in the input path. Through this idea, the saturation operator is 
replaced by an intersection operator. 

The notions of the sets of feasible control inputs and feasible outputs are central 
to the present approach. All these sets are represented by convex polytopes, which 
are defined in this section, after recalling the linear case. 

In the linear case, the tracking problem for constant setpoint concerns the transfer 
function 

T Uc ^(s) = C z (sl -(A- B f M))-\B - B f N). (7.7) 

Its solution for given M amounts to the selection of a matrix N such that the trans- 
fer function T Uc -> ZA (s) has a zero at the frequency s - 0: T^^^O) = 0. This goal 
is known to be achievable for linear systems (<p(u c ) - u c ) if and only if the condi- 
tion ( 14.54b is satisfied (see Chapter [4]). The condition ( 14.54b limits the number of 
independently assignable output components of z to dim(z) = p < rank(C z A~ l Bf). 
The corresponding solution N is obtained from the equation 

N = (C Z (A - BfM)~ l B f f C Z (A - B f M) l B. (7.8) 

The linear virtual actuator ( 14.49b also transforms the control command u c into the 
input Uf of the faulty plant. These signals are connected by means of the transfer 
function 



T u ^ Uf (s) = M(sI-(A-B f M))-\B-B f N) + N 



with the static gain 

T„ c ^ Uf (0) = N-M(A- BfM)\B - B f N). (7.9) 

Definition 7.2 (Sets of feasible and generated control inputs). Consider the satu- 
rated system ( 17.2b with actuator faults. The set of feasible control inputs is defined 

as 

%(±{ueR m :u fj <u i <u f j, i=l,...,m\. (7.10) 

The set of generated control inputs is defined as 
11a - [u e 1i : 3y(t),r(t),x c (t),XcO>t such that (y,r,x c ,u c ) satisfies ( 15.4b ). (7.11) 



The set of feasible control inputs 11 thus describes all inputs allowed by the satura- 
tions. The set of generated control inputs K a is the subset of K describing all inputs 
that are actually generated by the controller. If the controller ignores entire compo- 
nents of the input vector, then 1l a is a proper subset (1l a c K). By definition, all 
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previously defined sets are described by convex polytopes. The set of safe outputs 
Z,s £ R p contains all output values that do not violate safety constraints. 

This set is defined by the plant designer and is assumed to be convex as well. A 
constant feasible control input u c applied to the reconfigured plant Ep r - (Z/>/,2a) 
does not activate the saturations in the saturated virtual actuator, where Epj is a 
saturated system subject to actuator faults, and Za is a saturated virtual actuator. In 
steady-state, a constant feasible input u c is transformed into a constant steady-state 
input Uf to the faulty plant by means of the static gain ( 17.9b : 

tif = T Uc ->u f (0)u c . 
The set 14 a is mapped by the virtual actuator to the set 



Uf = T Uc ^u f (PYUa. 



(7.12) 



Since the control input to the faulty plant is limited by its saturations, the effective 
set of control inputs behind the saturations is 



f U s = f U f C\<U. 



(7.13) 



One may now ask which original control inputs from the set 14 a translate into effec- 
tive control inputs in the set 1J S . This set of saturation-respecting control inputs is 
called 1l c and defined as 

U c = {us'U a :T Uc ^ Uf (0)ue<U s } 

and calculated from the formula 

The relationship between the sets 11, 14a, 1Jf, and 1J S is illustrated in Fig. l7.2l 
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Fig. 7.2 Hypercube of admissible inputs defined by input saturations. 
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From these sets and Assumption 17.21 it is possible to calculate the admissible 
output equilibria 

Z a ±(C z A- l B f <U s )r\Z s . (7.14) 

The elements of Z. a are output equilibria that exist for the saturated system with 
actuator faults. 

The final concept needed for the statement of the main result is the concept of a 
minimum equilibrium-preserving input matrix. 

Definition 7.3 (Minimum equilibrium-preserving input matrix). An input ma- 
trix Bf of a faulty linear dynamical system ( 14.141 1 is called minimum equilibrium- 
preserving, if the quadruple (A, B, Bf, C z ) satisfies Condition ( 14.54b . and if for every 
matrix Bf obtained from Bf by setting some column of Bf to zero implies that the 
quadruple (A, B, Bf, C z ) does not satisfy Condition ( 14.54b any longer. o 

The minimum equilibrium-preserving condition on the input matrix prevents the 
existence of multiple input equilibria leading to the same output equilibrium, of 
which one might activate saturations and be infeasible, whereas the other might be 
feasible. 



7.3 Main Setpoint Tracking Recovery Result 

The following theorem states that the linear solution approach to the tracking recov- 
ery problem also solves the tracking recovery problem for saturated systems, if the 
requested setpoint is feasible, and if an additional technical condition on the input 
matrix is satisfied. The following theorem thus gives the solution to Problem [5.2l 



Theorem 7.1 (Stable asymptotic setpoint tracking recovery). Consider the 
reconfigured closed-loop system (Epf,EA,^c) that consists of the faulty satu- 
rated plant H7.2\) , of the saturated virtual actuator ( 17.51 ). and of the nominal 
controller ( 15.41 ), where the gain M is obtained from Corollarv \6. 71 and where 
the gain N is obtained from Equation ( 17.81 ). Then, any feasible constant setpoint 
f e Za is tracked by the reconfigured closed-loop system to the same precision 
as it is tracked by the nominal closed-loop system ( 15.41 ), ( 17.71 ), 

]imz(t)-Zf(t) = 0, 

t—>co 

if the input matrix Bf of the faulty saturated system is minimum equilibrium- 
preserving. 



Proof. See Appendix ITJl page [263] 
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The reason for this result is mainly the absence of obstacles in the state space due 
to the presence of simple saturation functions. The saturation functions imply con- 
vexity of all relevant polytopes, therefore control inputs generated by continuous 
feedback control laws between two feasible equilibria are always feasible in be- 
tween due to convexity. The presence of state-space obstacles leads to the class of 
nonholono mic sy stems, which can generally not be controlled by means of contin- 
uous inputs B104I1 . 

It is a hypothesis of Theorem l7.1l that a given reference setpoint f is feasible, and 
likewise that the input matrix Bf is minimum equilibrium-preserving. Both hypoth- 
esis may not be directly satisfied and must be enforced by setpoint supervision and 
input matrix reduction, which are described in the next section. 



7.4 Setpoint Supervision and Input Matrix Reduction 

Reference inputs that are externally provided by fault-unaware components need not 
necessarily be feasible. The set of feasible output equilibria Za f° r the faulty system 
may be strictly smaller than the nominal one. Demanding infeasible setpoints often 
leads to the activation of actuator saturations, with negative consequences for the 
closed-loop performance. It is thus reasonable to demand only achievable setpoints 
by mapping infeasible reference inputs to feasible ones (Fig. 17.31 ). 
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Fig. 7.3 Integration of setpoint projection into overall reconfigurable control scheme. 



To obtain a feasible setpoint r a e £ a from an arbitrary setpoint r, r is projected 
onto the set Z. a . The projection may be 

• orthogonal, or 

• along the set of relevant outputs z. 

The first approach potentially changes all elements of f , while the second approach 
preserves as many setpoint elements of f as possible. In particular, the number k of 
outputs whose setpoint is independently assignable is 



/f = rank(c z A _1 B/). 



(7.15) 
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The relevant output space basis T z e W Xq marks k relevant elements of the outputs 
z by means of ones. Assuming without loss of generality that the first k outputs 
are chosen (always achievable by permutation of outputs), the basis is given by the 
matrix 

r,=({fj), (7.16) 

where the zero blocks have appropriate dimensions. To assure that the equilibrium 
is met for the components f z of f marked in T z , the poly tope Z, a represented by H a 
and k a is augmented by inequalities that constrain the polytope to f z , 



H p 



The scalar 6 is a small positive real number added element-wise to f z in order to 
avoid zero volume poly topes, which cause numerical problems. The resulting poly- 
tope is 

Z P ={z e R' } : H pZ < k p ). (7.17) 

The feasible setpoint equilibrium f a is obtained from 

f fl =argmin||(z-f)||. (7.18) 

zeZp 
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The setpoint projection procedure is summarised in Algorithm 17. 1 1 and its embed- 
ding into the reconfigurable control scheme is illustrated in Fig. 17.31 

Next, it is shown how a minimum equilibrium-preserving input matrix can be 
generated from a general input matrix. The guideline in preferring certain inputs 
over others consists in letting the virtual actuator prefer those actuators whose equi- 
librium values are centered between their actuation range limits. For a perfectly 
centered input m,-, the relation u^ + M; = holds. This goal is achieved by iteratively 
zeroing columns of Bf that correspond to non-centered actuators, while preserving 
the controllability and satisfying Condition j4.54b . The online procedure is provided 
in Algorithm l7.2l 

In Algorithm 17. 21 the notation Bf(m) :- denotes assignment of the null-vector 
to the m-th column of Bf. However, it remains to mention that the application of 
Algorithm l7.2l in general reduces the feasible set Z, a . 

The overall synthesis and online application of the saturated virtual actuator is 
summarised in Algorithm l7.3l 



Example 7.1 (Tracking saturated virtual actuator synthesis for the ship). Given 

the elements ( I4.<SD , ( 14.91 ) of the linear model, Alsorithm U .3\ is applied to the rudder 
failure fo combined with reduced actuation range of the left thruster f^. 

The application of the tracking recovery algorithm requires some care. Recall 
that the plant is assumed to have finite static gain from the input u to the controlled 
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Algorithm 7.1. Online setpoint projection to admissible set 

Require: Plant model (A,B,Bf,C z ), saturation bounds u, u, u f , Uf, setpoint f, 
parameters M, N of virtual actuator, set of generated inputs 14 a , set of safe 
outputs Zs 

1: Determine t( from Eq. (17.101 1 and determine k from Eq. ( 17.151 1 

2: Compute Za from Z s and Eqs. d7TT2l >. dTTTSl . ( t7TT4l > 

3: if r e Za then 

4: return r a - f 

5: end if 

6: Select k relevant outputs and determine T z defined in Eq. ( 17.161 1 

7: if no priorities are assigned to any outputs then 

8: Project f onto Zp by Eq. (17.18b with Zp - Za 

9: else 

10: Project f onto Zp by Eq. (17.18b with Zp as in Eq. ( 17.171 ) 
11: end if 
Result: Feasible setpoint f a . 



Algorithm 7.2. Online input matrix reduction 

Require: Faulty plant model (A, Bf), saturation bounds u f , Uf 

1: Let u -Uf + Ur 

2: Compute candidate inputs for deletion, 

m — argmax|M 7 |; Bf.-Bf\ Bf(m) := 0. 

3: if Eq. (14.54b is satisfied with Bf instead of Bf then 
4: Set Bf :- Bf and goto step 2; else end 
5: end if 
Result: Reduced input matrix Bf that permits the same reconfiguration result w.r.t. 
stability and equilibrium recovery as the original input matrix. 



output z (Assumption \7.2\ . This assumption is violated if the heading is included in 
the controlled output vector. Therefore, the output z is chosen as z — (v r) T for the 
purpose of this algorithm. In other words, the recovery of the yaw velocity is sought 
instead of the recovery of heading. This step is not restrictive, since a cascaded 
controller is used as a nominal controller that performs heading control in the outer 
loop, whereas an inner loop regulates the yaw velocity. 

The response of the nonlinear ship model subject to abrupt rudder failure at 
tf = 20 s is shown in Fig. \7.4\ The times < t < tf — 20 s correspond to the steps 
1 to 4 of the algorithm describing the situation without faults, where the virtual 
sensor is inactive. At the time tf — 20 s, the rudder fails in floating condition. The 
fault is immediately detected and isolated in step 4, the model of the faulty system 
is constructed in step 5, and the virtual actuator parameters M and N are calculated 
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Algorithm 7.3. Tracking-recovering saturated virtual actuator 

Require: Plant model (A,B,C), saturation bounds u, u, initial condition jco 

1: Initialise the nominal closed-loop system ( 15.4b . ( 17. lb . ( 17. 51 ) with Bf -B,u_ f - u, 
Uf = u,M = 0,N = I, x{to) = xq, X/iOo) = 

2: repeat 

3: Run the nominal closed-loop system 

4: until actuator fault / detected and isolated 

5: Construct the actuator fault model Bf, u f , Uf, the sector bound S v - I, and 
update the saturated virtual actuator ( 17.51 1 

6: Compute feasible solutions (X a , Y a ) of the linear matrix inequality ( 16.111 ) 

7: Compute reduced faulty input matrix Bf using Alg. 17.21 

8: Compute the gain N from Eq. (17.8b where Bf is replaced by Bf 

9: Update the saturated virtual actuator with M = Y a X~ , N 
10: Compute feasible setpoint r a from current setpoint r using Alg. 17.11 
11: repeat 

12: Run the reconfigured closed-loop system 
13: if the setpoint f changes then 

14: Recompute feasible setpoint r a from current setpoint f using Alg. 17.11 

15: end if 

16: until closed-loop system stopped 

Result: Globally ISS and setpoint-tracking reconfigured closed-loop system (15.41) . 
(TO). (T73T) 



in steps 6 to 9, where the result for M is the same that was given in Equation ( 16.751 ), 
and the feedthrough gain is 



N ■- 



(1 5 
1 -5 
00 



(7.19) 



All setpoints for heading and velocity are still feasible, so step 10 does not change 
the reference signal. The reconfigured closed-loop system is executed in step 7. 

The matrix N can be interpreted as follows. The thrust inputs from the nominal 
controller (first two columns) are fed through, which is logical, since these inputs 
determine the surge velocity, and since the thrusters are not faulty. The last col- 
umn means that a positive rudder angle (steer to the right) is translated into a left 
thruster force increase and a right thruster force decrease, which also cases positive 
momentum and steers the ship to the right. 

Fig. \7.4\ shows that, indeed, all variables are stable, and the reference input 
(dashed) for the surge velocity (solid) is asymptotically recovered. The sway and 
yaw velocities quickly converge to the origin. The heading is not shown in that fig- 
ure but indicated in the following figure. 

Fig. 17.51 shows the motion of the ship with reconfigured controller, which is ca- 
pable of avoiding the obstacle. However, it does not return to its old course after 
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Fig. 7.4 Response of nonlinear ship subject to rudder failure and control reconfiguration by 
means of tracking-recovering saturated virtual actuator. 



avoiding the obstacle, therefore the solution is not yet satisfactory. This shortcom- 
ing is due to the small gain of the feedback gain M, which results in a too slow 
response of the virtual actuator. 



7.5 Summary and Discussion 

In this chapter, it was shown how the linear solution to the tracking recovery prob- 
lem can be extended to solve the corresponding Problem |5 .2! in saturated systems 
( Theorem 17. lb . The main idea consists in the expression of saturation operators by 
intersection operations. The approach requires few additional steps, limited to the 
online projection of infeasible setpoints to feasible setpoints (Algorithm l7.U . and the 
online reduction of the input matrix of the faulty saturated system (Algorithm l7.2l ). 
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Fig. 7.5 Motion of nonlinear ship subject to rudder failure and control reconfiguration by 
means of tracking-recovering Hammerstein virtual actuator. 



Due to the input matrix reduction, some conservatism is introduced. In other 
words, in general, for any input matrix reduction there exist equilibria that cannot 
be reached with the reduced input matrix, but could be reached with a differently 
reduced input matrix. In order to be able to reach every setpoint that is feasible 
with the un-reduced input matrix, the feedforward gain N of the virtual actuator 
would have to depend on the setpoint. The idea of making the feedforward gain N 
dependent on the reference input represents a potential extension of the presented 
approach. Care must be taken to ensure that perpetual switching between different 
values for N does not cause unstable behaviour. 

The following chapter describes the recovery of nominal performance. The mo- 
tivation for considering performance recovery is highlighted by Example 17. II 



Chapter 8 

Performance Recovery after Actuator Faults in 

Saturated Systems 



Abstract. This chapter gives the solution to the optimal performance recovery prob- 
lem after actuator faults in saturated systems. The solution extends the stabilising 
reconfiguration solution to achieve a compromise between output trajectory recov- 
ery and control input amplification. 



8.1 Overview of the Performance Recovery Problem and Its 
Solution 

The task considered in this chapter consists in solving Problem [5. 3 1 which requires 
reaching an optimal compromise between small input amplification and good per- 
formance recovery, while preserving the reconfigured closed-loop ISS condition es- 
tablished in Corollary 16.11 The class of systems considered in this chapter is the 
same as that considered in the previous Chapter [7] namely nominal saturated sys- 
tems ( 15.31 1 and saturated systems subject to actuator faults [ 15.91 1. 

It was found that if the virtual actuator gain M - Y a X~ l is chosen such that the 
variables X a , Y a satisfy the LMI ( 16.111 ). stated here specifically for saturated systems 
where S v = I m 



-(AX a + X a A T ) 



f '>0, (8.1) 



21, 

then the reconfigured closed-loop ISS is guaranteed. The number of feasible solu- 
tions to the LMI ( 18.1b is infinite, which leaves considerable freedom for good and 
bad choices of M with respect to Problem [5. 3 1 

The approach to attaining a good compromise between performance and control 
effort, as required by Problem 15.31 consists in the consideration of the linear sub- 
systems of the saturated plant and the saturated virtual actuator. Linear optimisation 
approaches are used to minimise the //co-norms of transfer functions that corre- 
spond to the signal paths describing the problem. All statements about optimality 
made throughout this chapter are valid only if the control inputs do not exceed the 
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Fig. 8.1 Transfer functions describing the linear virtual actuator. 



saturation bounds imposed on the inputs. Condition (18.1b . however, guarantees that 
stability is preserved also if saturation bounds are exceeded. 

The considered linear subsystems are the nominal linear plant ( 14. II ). the faulty 
linear plant (14.14b . and the linear virtual actuator 1 14.491 ), summarised here again for 
ease of reference, 



x(t) = Ax(t) + Bu c (t) + B d dit), x(0) = xq 
E P : < y(t) = Cxit) 

z{t) =C z x(t) 

x f (t) = Ax f{t) + BfUfit) + B d d(f), x f (0) = x 
: \y f (t) =CfX f (t) 
z f (t) =C z x f (t) 

xaO) = A A x A {t) + B A u c {t), x A (0) = 
Uf(t) = MxaO) + Nu c {t) 
y c (t) =Cx A (t)+y f (t). 

The output performance recovery is characterised by the transfer function 
T Uc ^ ZA (s) = C z (sI-(A- BfM)}~ ' (B - B f N) 



(8.2) 



of the virtual actuator (Fig. 18.11 ). The input amplification by the virtual actuator is 
characterised by the transfer function 



T Uc ^ Uf (s) = M(sI-(A- B f M))~ l (B - B f N) + N 



(8.3) 



of the virtual actuator (Fig. 18.11 ). 

With these transfer functions, it is possible to re-state and solve the parts of Prob- 
lem 15.31 which consist in limiting the gains of the stated transfer functions in the 
sense of their //oo-norms. This norm was chosen because it represents the largest 
peak-to-peak amplification of harmonic input signals by the system over the en- 
tire frequency range. The //2-norm is an alternative criterion that represents the 
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asymptotic output variance of the transfer function driven by white noise. Since the 
control input signal u c is not stochastic, the //co-norm is chosen here. 



8.2 Output Trajectory Recovery 

This section focusses entirely on the output trajectory recovery part of Problem l5.3l 
The goal is to find suitable gains M and N such that the //oo-norm y z of the transfer 
function ( 18.2b is minimised, while preserving the closed-loop 1SS property of the 
system with saturations. In order to give priority to certain components of z over 
others, a symmetric weight matrix Q = Q T > is left-multiplied to the transfer func- 
tion T Uc ^, Z/j (s) defined in Equation (18.2b . For that goal, Problem [5.3l simphfies to the 
following problem. 

Problem 8.1 (Optimal output trajectory recovery). Given a weight Q - Q T > 0, 
find virtual actuator gains M and iV that solve the optimisation problem 



subject to 

i-(AX a +X a A T ) 



%^ = 



The solution to Problem 18. II is given by the following theorem, which also solves 
Problem[53] specified for pure output trajectory recovery. 



where X a = X T a > 0, and M = Y a X~ ] 



Theorem 8.1 (Optimal output recovering saturated virtual actuator syn- 
thesis). The reconfigured closed-loop system (Epf,EA,^c) that consists of the 
saturated system ( I5.il ), the saturated virtual actuator ( 17.51 ). and the nominal 
controller ( 15.41 ) optimally recovers the nominal output performance in the sense 
of the Hco-norm of the corresponding weighed transfer function ( IS. 21 ), if the ma- 
trices M and N of the virtual actuator are solutions of the optimisation problem 



mm y z 



subject to 
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(AX az + X az A T -B f Y az 


-w 


B - B f N 


XazC T z Q\ 


• 


~7zl 





I * 




•k 


-7:1 J 



<0 



(8.4) 



-(AX az + X az A T ) 



Y kzln >0 



2/„ 



X az = XL > 0, y z > 0, 



where M — Y az X~ z , and if the control inputs u c and Uf do not exceed the sat- 
uration bounds. Furthermore, the reconfigured closed-loop system is ISS w.r.t. 
its input (r, d). 



Proof. See Appendix iDl page !264l 

The optimisation problem to be solved in Theorem 1 8. II has a linear objective func- 
tion and is defined on a convex feasible region. This class of problems is readily 
solvable using numerical methods. 

The exclusive focus on performance generally results in high-amplitude input 
signals, which are not realisable due to saturations. The next section discusses the 
miminisation of the input energy amplification by the virtual actuator. 



8.3 Input Energy Limitation 

In this section, the opposite special case of the previous section is solved, namely 
minimising the input amplification of the virtual actuator, as formulated as part of 
Problem 15.31 The goal is to find suitable gains M and N such that the //co-norm 
y u of the transfer function ( 18.31 ) is minimised, while preserving the closed-loop ISS 
property of the system with saturations. For this goal, Problem [5 . 31 simplifies to the 
following problem. 

Problem 8.2 (Minimum input amplification). Find virtual actuator gains M and 
N that solve the optimisation problem 



min \\T Uc ^ u As) 



= 7u 



subject to 



-(AX a + X a A T ) 



Y T - B f 



2/„ 



>0, 



where X a = X T a > 0, and M = Y a X~ ] 
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Theorem 8.2 (Minimum input amplification virtual actuator). The recon- 
figured closed-loop system (Epf,EA,^c) that consists of the saturated sys- 
tem ( 15.31 ), the saturated virtual actuator ( 17.51 ), and the nominal controller ( 15.41 ) 
minimally amplifies the control input in the sense of the Hoa-norm of the corre- 
sponding transfer function ( I&3I ), if the matrices M and N of the virtual actuator 
are solutions of the optimisation problem 



mm y u 



subject to 



(AX au + X au A T - B f Y au - Yj m B T f 


B - B f N 


Y T \ 

au 


• 


-Jul 


N 1 


I * 


• 


-Jul) 



-{AX au + X au A T ) 



Y lu - B f 



2/„ 



<0 



>0 



(8.5) 



X au =X T au >0,y u >\, 

where M — Y au X~^, and if the control inputs u c and Uf do not exceed the sat- 
uration bounds. Furthermore, the reconfigured closed-loop system is ISS w.r.t. 
its input (r, d). 



Proof. See Appendix iDl page !264l 

Again, the optimisation problem to be solved in Theorem l8.2l has a linear objective 
function and is defined on a convex feasible region. The result allows the minimi- 
sation of input energy amplification by the virtual actuator. The constraint y u > 1 
ensures that the optimal solution obtained from Theorem l8.2l is not M — 0, ./V = 0. 
This solution is not desirable in practice, since it disconnects the faulty saturated 
plant from the controller and lets the faulty plant run in open loop. 

The exclusive minimisation of input signal amplification might lead to insuffi- 
cient performance. A practical solution will, therefore, have to combine the ideas 
shown in Section 18.21 and the present section. That approach is shown in the next 
section. 



8.4 Weighed Multi-objective Synthesis 



Neither the exclusive consideration of performance nor the exclusive consideration 
of input energy are useful for practical design of the virtual actuator. This section 
combines both objectives by means of weighing into a single synthesis objective that 
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reflects a compromise between a small input amplification and a small output error, 
thus providing a complete solution to Problem [5. 3 1 The weight A is a free parameter 
specified by the user and can be adjusted to the needs of the considered applica- 
tion. In particular, the suitable choice of the weight parameter A helps satisfying the 
assumption that the control inputs do not exceed the saturation bounds. 



Theorem 8.3 (Weighed multi-objective virtual actuator synthesis). Con- 
sider the reconfigured closed-loop system (Epf,EA,^c) that consists of the 
saturated system ( I5.il ). the saturated virtual actuator ( 17.51 ), and the nominal 
controller ( 15.41 ). The reconfiguration solution realises an optimal compromise 
^-Jz + (1 _ X)lu between output recovery and input amplification expressed by 
means of the weight parameter A € [0, 1], if the degrees of freedom M and N 
are solutions of the optimisation problem 



min Ay 7 

N,X a ,Y a 



■<\-Xftu 



(8.6) 
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X a = XT>0,y u >l,y z >0, 



(8.7) 

(8.8) 

(8.9) 
(8.10) 



where M = Y a X~ . The weight parameter A is specified by the user. Optimal- 
ity is achieved if the inputs u c and Uf do not exceed the saturation bounds. 
Furthermore, the reconfigured closed-loop system is ISS w.r.t. its input (r,d). 



Proof. See Appendix iDl page [265] 

The case A - corresponds to minimum actuation energy amplification, whereas 
the case A - 1 corresponds to minimum performance loss. Like the separate single- 
objective approaches, the underlying optimisation problem in this multi-objective 
approach is linear and convex. The optimisation problem embedded in the previous 
theorem gives rise to Pareto-optimal solutions, meaning that an improvement of one 
of the included objectives implies a degradation of the other objective. In practice, 
it is advantageous to choose the weight A small enough so that the control inputs do 
not exceed the saturation bounds under typical operating conditions. 
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Algorithm 8.1. Performance-recovering saturated virtual actuator with limited input 
amplification 

Require: Plant model (A,B,C), saturation bounds u f , uj, performance/energy 
weight A, output weight matrix Q, initial condition xo 
1: Initialise the nominal closed-loop system d5.4l l. ( 17.1b . ( 17.51 ) with Bf = B,u f = u, 
Uf-u,M-0,N -I, x{to) - xq, x^ito) - 
repeat 

Run the nominal closed-loop system 
until actuator fault / detected and isolated 

Construct the actuator fault model Bf, u,, Uf and update the saturated virtual 
actuator ( 17.51 ) 
6: Solve the optimisation problem ( 18.7b subject to the semidefinite constraints 

(l8~7])-( l8~ra for the variables X a ,Y a ,N 
7: Update the saturated virtual actuator with M = YaX' 1 and N 
8: Run the reconfigured closed-loop system 
Result: Globally ISS reconfigured closed-loop system (15.41) . d7.ll ). ( 17.5b that opti- 
mally realises the chosen compromise between performance recovery and min- 
imum input amplification 



The LMI-based characterisations of the //co-norms of the transfer functions 
T Uc -, Za (s) and T Uc ^ Uf (s) use different variables X az and X au as well as Y az and 
Y a u, respectively. The multiobjective optimisation problem (18.7b could only be for- 
mulated with consistent constraints after unification of variables X a - X az - X m and 
Y a - Y az - Y au (see the proof of Theorem l8.3b . This simplification introduces some 
conservatism. In other words, the computed Pareto-optimal solutions might not be 
globally optimal. However, the true global optimum cannot be computed, and the 
chosen approach provides a good approximation. Note also that not the optimal 
gains themselves, but the corresponding solution variables are of main interest here. 

The overall online application of the weighed multi-objective synthesis of the 
saturated virtual actuator for saturated systems is summarised in Algorithm l8.ll 



Example 8.1 (Performance recovering saturated virtual actuator synthesis for 
the ship). In Example \7.1\ it became obvious that stability and tracking are not 
always sufficiently adequate in practice. Therefore, performance recovery is now 
applied to the ship after rudder failure fa. 

The response of the nonlinear ship model subject to abrupt rudder failure at 
tf = 20 s is shown in Fig. \8.2\ Before the fault occurs at tf = 20 s, the saturated 
virtual actuator is inactive due to the choice of its parameters M = and N = I. 
The time period <t < tf corresponds to the steps 1 to 4 of Alsorithm \8. 71 The fault 
that occurs at tf = 20 s is assumed to be immediately detected and isolated in step 5 
of the algorithm. Given the elements ( 14. SI ), ( 14.91 ) of the linear model, Alsorithm \8.1\ 
is applied with the tradeoff weight A = 0.2, thus with focus on limiting the control 
input amplification, and with the output weight Q = diag(l 0. 1). In steps 6 and 7, the 
algorithm computes the feedback gain M and the feedforward gain N 
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M 



(1.59 -331.6 244.1 40.2 
1.59 331.6 -244.1 -40.2 




N-- 



(0.94 0.038 4.53^ 
0.038 0.94 -4.53 
4.53 -4.53 -0.91 



and updates the saturated virtual actuator. The ship is governed by reconfigured 
closed-loop dynamics in step 8, which covers the time interval tf = 20 s < t < oo. 

It is clearly visible from Fie. \8.2\ that the thrusters replace the failed rudder in or- 
der to manipulate the ship yaw velocity and heading. All signals are stable, the surge 
velocity follows its reference input, and the ship follows its path while avoiding the 
obstacle, as Fig. \8.3\ clearlv shows. This example highlights the role of performance 
recovery in the context of reconfigurable control. 
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Fig. 8.2 Response of nonlinear ship subject to rudder failure with control reconfiguration by 
means of performance-recovering saturated virtual actuator. 
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Fig. 8.3 Motion of nonlinear ship subject to rudder failure with control reconfiguration by 
means of performance-recovering saturated virtual actuator. 



8.5 Summary and Discussion 

In this chapter, it was shown how the linear solution to the performance recovery 
problem can be extended to solve the corresponding Problem |5. 3 1 in saturated sys- 
tems subject to actuator faults. The main idea consists in the consideration of the 
linear dynamics of the saturated system, and a compromise between performance 
recovery (Theorem l8.ll ) and input signal amplification (Theorem l8.2l ) expressed in 
Theorem l8.3l If the nominal controller respects the saturations, then a cautious ad- 
justment of the weight A in the reconfiguration Algorithm ^, ll can prevent excessive 
input signals. The inclusion of the stability condition ( 18. lb for the saturated system 
ensures that the reconfigured closed-loop system remains stable, also if the feasible 
inputs are exceeded. As mentioned above, optimality is attained only if the input 
signals do not exceed the saturation bounds. 

With respect to the requirements stated in Section [T31 the method is well-suited 
for autonomous online application. The only choices to be made by the user are 
the weight A between input amplification and output performance, and the diagonal 
output weight matrix Q. Therefore, the choice between potentially large numbers 
and very different kinds of reconfigured controllers has been reduced to the choice 
of a scalar number that has an intuitive interpretation as a weight between contra- 
dicting goals, and a well-interpretable matrix placing emphasis on certain outputs 
over others. Given the current computational power, the approach is numerically 
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applicable to small and medium sized problems, and the robustness properties de- 
rived in Chapter|6]remain valid. 

A possible extension of the performance recovering saturated virtual actuator 
consists in the inclusion of integral action by means of extension of the virtual ac- 
tuator state. The resulting transfer functions that define the optimisation problem 
still define systems with well-defined //co-norms. The extended system matrix is, 
however, no longer Hurwitz, and a slightly different technical statement about the 
closed-loop stability must be made, in the sense that only convergence of the ex- 
tended state to a neighborhood of the origin can be verified. This result is logical 
and to be expected from the inclusion of pure integrators into the difference system. 
However, the mentioned extension is often useful in practice. 

This chapter concludes Part II of this monograph on the reconfigurable control 
of Hammerstein- Wiener systems. The solutions presented in this part are linked as 
follows. In many practical applications, the most important limitation to the validity 
of linear models is the presence of input saturations. In this case, saturated systems 
adequately describe the system, and the stable setpoint tracking and optimal per- 
formance recovering reconfiguration solutions of Chapters [7] and [8] can be applied. 
The robustness properties found in Chapter|6]furthermore provide safeguard against 
model errors that result from both inaccurate diagnosis results and from neglected 
moderate (static) nonlinear effects. 

In the case of additional sensor faults, a saturated virtual sensor can be easily 
derived as a special case of the Hammerstein- Wiener virtual sensor. The results on 
setpoint tracking and optimal performance recovery remain valid when coupling the 
virtual sensor with the virtual actuator in the absence of disturbances. The presence 
of disturbances adds difficulty to the setpoint tracking recovery, since disturbances 
force the observation error and consequently also the tracking error away from the 
origin. Unknown-input (PI) observers for saturated systems would have to be used 
to suppress the disturbance effect on the tracking error. 

The class of Hammerstein- Wiener systems studied in this part does not reflect 
nonlinear dynamics. If nonlinear dynamics play a major role in the considered sys- 
tem, or if large operation ranges have to be considered, then the methods presented 
in this part have limited utility. The following Part III of this monograph thus ex- 
tends the fault-hiding approach to reconfigurable control to piecewise affine sys- 
tems, which are considered as approximations of systems with input-affine nonlin- 
ear dynamics. 



Part III 
Reconfigurable Control of Piecewise Affine 

Systems 



In this part, the reconfigurable control problem is solved for the class of piecewise 
affine systems, where the fault-hiding principle provides the conceptual basis. Ac- 
tuator and sensor faults may occur simultaneously in this approach. Solutions are 
given with respect to the problems of recovering closed-loop stability and asymp- 
totic setpoint tracking. The practically important case where a piecewise affine re- 
configuration block is used in connection with a nonlinear plant is discussed. 



Chapter 9 

Control Reconfiguration Problem for Piecewise 

Affine Systems 



Abstract. This chapter defines nominal piecewise affine systems and the nominal 
closed-loop system for the class of PWA systems, as well as the assumptions made 
about the nominal closed-loop system. It is shown how faults are modelled in piece- 
wise affine systems, and the corresponding reconfiguration problems are formulated. 
The chapter closed with bibliographic notes. 

9.1 Nominal Piecewise Affine Systems 

A further extension of linear systems are piecewise affine systems, where the system 
matrix and an affine term are allowed to vary depending on the present state. The 
state-space is partitioned into a collection of r non-overlapping polyhedra A; that 
cover the entire state-space, namely 

V; + j : int(A,) n int(Ay) = 

r 

\jAt = -R n . 

i=\ 



Definition 9.1 (Piecewise affine system l!90Lll97ll '). A piecewise affine (PWA) sys- 
tem is a system of first-order ODEs 



x(f) = A f x(t) + a t + Bu c (t) + B d d(f) for x(t) e A,-, i e {1, . . . , r) 

y(t) = Cx(t) (9.1) 

z(t) =C z x(t) 



Ep : • 



where all signals are in accordance with Definition l3.2l The symbol A,-, i € { 1 , . . . , r), 
denotes a family of system matrices, whereas a,-, i € { 1 , . . . , r], is a family of affine 
terms. The remaining matrices are in accordance with Definition 14. II all matrices 
are of compatible dimensions, and 

x(0) = x 

is the initial condition. o 

J.H. Richter: Reconfigurable Control of Nonlinear Dynamical Systems, LNCIS 408, pp. 143-[l55] 
springerlink.com © Springer- Verlag Berlin Heidelberg 2011 
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Each of the pairwise disjoint sets A\ corresponds to a mode of the PWA sys- 
tem (19. U in the sense that if x(f) e At at time t, then the system is described by the 
fc-th affine system represented by the tuple {A\,a^, B, Bd,C, C z ) at time t. Switching 
among the modes is triggered when the state trajectory crosses a boundary between 
two polyhedra. A PWA system is shown in Fig. 19.11 
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Fig. 9.1 Piecewise affine system. 



The following assumption is made throughout the monograph. 
Assumption 9.1. The right-hand side 

f a (x, u c , d) - AjX + «, + Bu c + Bjdfor x e A,-, i e {1, . . . , r) 



of the system ( I9.il ) is assumed to be a continuous function of its arguments x, U c 
and d. 

The right-hand side of the PWA system d9.ll > is automatically continuous for x e 
int(A,), i e {l,...,r}, since it is affine in every mode. Discontinuities may occur at 
the boundaries between adjacent polyhedra, and the system modeler must ensure 
that the PWA system model is free from such discontinuities. However, the right- 
hand side of the PWA system is nonsmooth on the boundaries between the mode- 
defining polyhedra. Note that Assumption 19.11 guarantees that the system ( 19.11 1 is 
locally Lipschitz-continuous. Consequently, for any u c e X' oc (B,' n ), d e £?° c (R k ), 
and Jto £ R", it has a unique and globally defined solution that is locally absolutely 
continuous. Also, sliding modes cannot occur as solutions of the PWA system ( 19.1b 
if it is continuous. 

Note also that the original definition of PWA systems in J9Clll97ll allows switch- 
ing input and output matrices. This extension, however, immediately destroys the 
continuity property, which is instrumental for obtaining the results of the follow- 
ing two chapters. Note that all papers that address the more general class of PWA 
systems provide solutions to the problem of stabilising equilibrium points. The re- 
configuration problem, however, leads to a stabilisation problem of time- varying so- 
lutions of multi-mode PWA systems, for which only results based on continuity are 
known (solutions for bimodal discontinuous PWA systems are available, though). 

The following theorem summarises prior results on the incremental stability, ISS, 
and convergence of continuous PWA systems. 
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Theorem 9.1 (PWA incremental stability, ISS, and convergence J156L Il59l0 . 
Consider the PWA system ( I9.il ) with the right-hand side f a (x,u c ,d) — A[X + a,- + 
Bu c + B d d for x e At, i€ {l,...,r}, and suppose that Assumption \9~l\ holds. If there 
exists a matrix X S WL nxn , X - X T > that satisfies the LMIs 

XAi + AjX<0,i=l,...,r, (9.2) 



then the system ( I9.il ) is 0-GES for u c ,d = 0, globally ISS w.r.t. (u c ,d), and for any 
two points X\,X2 G H", the following algebraic inequality holds: 

(xi - x 2 f X(f a {xi,u c ,d)- f a {x 2 ,u c ,d)) < -p{xi-X2) T X{x\ -x 2 ). (9.3) 

That is, the system is quadratically incrementally stable. The number (3 > depends 
only on the matrix X. Furthermore, the system is globally exponentially convergent. 

Lyapunov-characterisations of incremental stability were fi rst p resented in [5[] and 
ISS results for locally Lipschitz systems were published in |i99J. 

PWA systems are here primarily viewed as local approximations of the nonlin- 



ear system ( 13.2b on a subset 'V of the state-space (see also J165I1 V For nonlinear 
systems ( 13.21 ) of the form 

x(t) = f(x(t)) + Bu(t) + B d d(t) 

y(t) =Cx(t) (9.4) 

z(t) =C z x(t), 

Algorithm |9.1| constructs a Delaunay-partition DofV and a PWA system over T> 
such that the model approximation error of the right-hand sides of (13.2b and d9.1| l is 
smaller than a specified bound e 

Mxe'V^u eWL m ,de R k : \\f a (x,u,d)-(f(x) + Bu + B d d)\\ < e. (9.5) 

Various methods for the computation of the initial Delaunay partition and the refine- 
ment of a given partition are described elsewhere in detail |9QQ. 

Example 9.1 (Piecewise affine model of a ship). The piecewise affine ship model 
is obtained by ignoring the input range limitations. Recall that, ignoring the input 
limitations, the state equation for the ship model f li.il )-( fi~?l ) is of the form 

x(t) = f(x(t)) + Bu{t) + B d d{t). 

Therefore, a model approximation is only necessary for the autonomous part, which 
only depends on the state, and for which a piecewise affine approximation of ar- 
bitrary accuracy may be obtained at the cost of a very fine state space partition. 
The application of Algorithm 19. i I with e — 1.4 provides a piecewise affine model of 
the form ( I9.il ) on a partition with 196 simplices covering the hypercube — 3 < v < 3, 
— 1 <w< 1, — 7t< r <n, which is shown in Fie \9.2\ The 196 parameter pairs (A,-,a,) 
are not explicitly written here. The model elements B, B d , C, and C z are the same 
as in the linear model ( 14. 81 ), ( 14. 91 ), because they involve no approximation. 
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Algorithm 9.1. Error-bounded nonlinear system approximation by PWA system 



Require: f(x), B, B d , C, C z , e, <V 



Generate initial Delaunay partition Do - [Si,S2, ■■■} of 'V c R", set k = 
repeat 

for i = to d\m(D k ) do 

Let v i , . . . , v n + 1 be the vertices of the simplex Sj 

( f(vi) T ^ 



5: 



Solve the system of equations 



v\ 1 


(» 


*lx J 





f(V2) T 

f(v n+ i) T 



for A,-, a,-. 



6: end for 

7: Compute e = max xe i/\\AjX + aj - f(x)\\ 

8: if e > e then 

9: Refine(^) -> £) i+ 1 ; fc = fc + 1 

10: end if 
11: until e < e 

Result: PWA system ( 19. 11 ) that approximates the nonlinear system ( 19.4| > within the 
error bound ( |9.5| l. 




W, m/s _j _^ „ i m / s 
Fig. 9.2 State-space partition into simplices for ship model. 



Fig. \9.3\ shows the solutions of the nonlinear and two PWA models corresponding 
to the initial surge velocity v(0) = 2, initial sway velocity w(0) — 0.1, and initial yaw 
velocity r(0) — —0.79, the same case that was used to validate the linear model. The 
PWA models are based on 33 and 196 simplices. The figure shows clear improve- 
ments of PWA modelling compared to linear modelling. The surge, sway, and yaw 
velocities obtained using the PWA model all agree much better with those obtained 
using the nonlinear model than those obtained using the linear model (see Fig. \4.2\ 
on paee \58\l . The model accuracy improves with increasing number of simplices. 

Fig. \9.4\ compares the resulting ship positions and headings in the earth-fixed 
reference frame (x,y) starting from the initial position (x(0), y(0)) T = (0,0) r and the 
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Fig. 9.3 Comparison of ship responses obtained with a nonlinear and two PWA models (33 
vs. 196 simplices) in terms of the surge, sway, and yaw velocities. 




Fig. 9.4 Comparison of ship responses obtained with a nonlinear and two PWA (33 vs. 196 
simplices) models in absolute coordinates. 



initial heading (/'(O) = 22.5°. The heading is represented by an oriented triangular 
ship symbol shown every 5 seconds. Like the velocities, the position and heading ob- 
tained from the piecewise affine model correspond much better with those obtained 
with the nonlinear model than those obtained with the linearised model (see Fig. \4.3\ 
on pase \58[ . Notably, the PWA model based on 196 simplices correctly predicts the 
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rotation. Even the final heading agrees remarkably well with that obtained from the 
nonlinear model. The most obvious difference between the nonlinear and the piece- 
wise affine models is the surge velocity, which causes a difference in the predicted 
translational motion. Summarising the model comparison, sufficiently complex PWA 
model are excellent approximations of nonlinear models. The accuracy comes at the 
price of high model complexity. 

9.2 Nominal Closed-Loop System and Assumptions 

Throughout this part, the nominal controller Ec for the nominal PWA plant ( 19. Il l is 
a general nonlinear controller 

r (*c(t) =fc(x c (t),y(t),r(t)) 

Zc '■ i (9.6) 

[u c (f> = h c (x c (t),y(t),r(t)), 

x c (0) = XcO 

with the internal state x c {t) e R" c , the measurement y(t) e R c/ , the reference input 
r{t) e W, and the control input u c (t) e R". 

The nominal PWA plant J9.lt together with the controller J9.6I > give rise to the 
nominal closed-loop system (Ep,Ec). 

The following assumptions are used for Part III of this monograph. The first 
assumption for the nominal closed-loop system is in place for solving the stability 
recovery problem. 

Assumption 9.2 (Stabilising nominal control). The nominal closed-loop system 
Ei — (Ep,Ec) that consists of the nominal PWA system ( 19.71 ) and the nominal con- 
troller ( 19.61 ) is ISS w. r. t. the input (r, d), and IOS w. r. t. the input (r, d) and the output 
(x,u c ). 

The previous assumption means that, for bounded reference and disturbance inputs, 
the nominal closed-loop system responds with a bounded plant state and a bounded 
control input. The following assumption replaces Assumption 19.21 for solving the 
stability and tracking recovery problem. 

Assumption 9.3 (Stabilising and setpoint tracking nominal control). The nomi- 
nal closed-loop system El — (Ep,Ec) that consists of the nominal PWA system ( I9.il ) 
with bounded measurement noise n y (y(t) — Cx(t) + n y {i) where linv-,00 n y (i) — 0) 
and the nominal controller ( 19.61 ) is ISS w.r.t. the input (r,d,n y ) and IOS w.r.t. the 
input (r,d,n y ) and the output (x,u c ). Furthermore, constant reference commands 
r(t) = fp(t), f G R p , are asymptotically tracked to precision K > in the presence of 
arbitrary constant disturbances d(t) = dp(f), d € R and measurement noise n y with 
a constant steady-state control input u c e W 1 in the sense that for all xq and xa> 

I ma 3 „\ ft \ - ,A-*I limsup^J|r(r)-z(OII<^ 
\d(t) = dp(f), r(t) = rp(t) => \ 

1 ' nm f _ > ooKcW = Hc- 



9.3 Faults in Piecewise Affine Systems 149 

The previous assumption is realistic in many cases and approaches for t he tr a ckin g 
control of PWA systems have been recently reported in the literature 11591 [228]. 



These approaches can be used to ensure or verify Assumption 19. 3 1 The rejection of 
transient measurement noise is not restrictive but needed in the subsequent proofs. 

9.3 Faults in Piecewise Affine Systems 

In piecewise affine systems (19.1b . faults are assumed not to affect the state-space 
partition, but only the system parameters as defined below. 

Definition 9.2 (Actuator faults in piecewise affine systems). An actuator fault in 
a piecewise affine system is an event occurring at time tf that changes the nominal 
input matrix B e R" x '" to the faulty input matrix Bf e R" x ™ of the same dimensions, 
and that changes the nominal affine terms a, e R" to the faulty affine terms a/j e R" 
of the same dimensions. o 

Definition 9.3 (Sensor faults in piecewise affine systems). A sensor fault in a 
piecewise affine system is an event occurring at time tf that changes the nominal 
measurement matrix C 6 R 9X " to the faulty measurement matrix Cf e R' ?x,! of the 
same dimensions. o 

The fault event abruptly changes the nominal PWA system ( 19.11 ) to the faulty PWA 
system 

Xf(t) - AjXf(t) + a.fj + BfUfif) + B d d(t) for x/(t) e A,-, ie{l,...,r) 
Zp f : < y f (t) = CfXf(t) (9.7) 

z f (t) =C z x f (t) 

Xf(0) = x , 

where the matrices Bf, Cf and the family of vectors a/,/, ie {l,...,r}, reflect the 
fault, whereas all other matrices remain unchanged. The parameter changes may be 
arbitrary as long as the obey the following assumption. 

Assumption 9.4. The right-hand side of the faulty system ({9.7$ is assumed to be a 
continuous function ofxf, Uf and d. 

The typical changes in the matrices Bf and Cf are the same as already discussed 
for linear systems in Section 14.31 The blockage of actuators j e Si, Si c { 1 , . . . , m], is 
typically modeled by means of a changed affine term 

a f j = a t + ^] bjUj, i £ {1, . . ., r] (9.8) 

and by means of corresponding zero columns in the matrix Bf. In view of the typical 
model ( 19.8b of blocked actuators and the fact that the input matrices B and Bf are 
not mode-dependent, Assumption ^. 4l is not restrictive. 
A final assumption about the faulty system is made. 
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Assumption 9.5 (Actuator blockage compensatability). The nominal PWA plant 
( 19.71 ) and the faulty PWA plant H9.7\) satisfy the condition 



Vj 6 {1, . . . ,r] : dj- a/ j e imBf. 



(9.9) 



This assumption means that the forcing input caused by blocked actuators can be 
compensated by the remaining, in other words functioning, actuators. The relax- 
ation of this assumption is possible and is discussed after the presentation of the 
reconfiguration solution. 

Table 19.11 summarises the expressiveness of the piecewise affine fault model. 
Clearly, the piecewise affine faulty system models are more expressive than the 
linear faulty system models. By comparison with Hammerstein- Wiener systems, 
however, reduced actuation ranges are not representable in PWA systems, since in- 
put limitations are not modelled in PWA systems at all. On the other hand, actuator 
blockage in arbitrary positions is readily representable within the piecewise affine 
model framework. 



Table 9.1 Technological faults representable by piecewise affine fault models. 



Technological fault 


Representable 


By model parameter 


Changed actuator gain 


/ 


Bf 


Changed nonlinear actuator characteristic 


X 




Changed or reduced actuation range 


X 




Actuator failure at the operating point 


/ 


Bf 


Actuator failure off the operating point 





a f ,i, B f 


Changed sensor gain 


y 


Cf 


Changed nonlinear sensor characteristic 


X 




Sensor failure 


y 


Cf 



Legend: /: fully representable; (7): exclusively representable in this system class; 
{yy. representable leaving the system class; x: not representable. 



Example 9.2 (Piecewise affine model of a ship subject to faults). The PWA model 
of the faulty ship has the same model elements Bf and Cf as the linear model ( 14. 1 91 ) 
of the faulty ship to represent the failed gyro sensor (f\) and floating rudder (fi). 
The blockage of the rudder (ft) at the position p is embedded into the affine model 
term a/j as follows: 

afj = aj + bip, ie{l,...,r}. (9.10) 

The entire faulty ship is described by the PWA model 

Xf(i) - AiXf(t) + afi + BfUf(t) + B d d{t) for Xf(t) e Aj, ie{l,...,r) 

y f (t) =C f Xf(t) (9.11) 

z f (t) = C z x f (t). 
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The fault f$ meaning a floating rudder is obtained by the special case p — 0. The 
reduced actuation range of the left thruster (fn) is not representable within the PWA 
modelling framework. 

Example 9.3 (Piecewise affine model of the two-tank system). In this part, the 
running example consisting of the two-tank system defined in Chapter \l.5\ is used. 

with the dif- 



The two-tank system M.14\ has an input affine form similar to 
ference that in the tanks system ( 17.741 ), the input matrix is a nonlinear function of 
the state. Its model is approximated by piecewise affine dynamics of the form ( 19.71 ), 
where the constant input matrix B is the Jacobian of the nonlinear vector field eval- 
uated at the operating point u$ — (0.5 0.5 0.8) r . The approximation gives rise to a 
PWA system with 22 regions. The vector fields of the nonlinear system and its PWA 
approximation along with the state-space partition are shown in Fig. \9.5\ and \9.6\ 



hi 




hi 



Fig. 9.5 Nonlinear vector field of the two-tank system. 



hi 



hi 








Fig. 9.6 PWA vector field of the two-tank system. 



o 



The response of the tanks model subject to these faults and reconfiguration using 
a linear virtual sensor and a linear virtual actuator is shown in Fig. \9.7\ The sensor 
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Fig. 9.7 Response of reconfigured closed-loop tanks system based on linear virtual sensor 
and linear virtual actuator with periodic reference input. 



for the level h\ fails at tf s — 40 s, whereas the lower valve fails at tf a \ — 20 s and 
the upper valve degrades at tf a 2 = 35 s. Although the system is stable due to the 
reconfiguration, it deviates so far from the reference trajectory that the left tank, 
whose height is 0.6 m, would overflow in reality. The disturbance estimate provided 
by the virtual sensor is very inaccurate. After large transients to —3823 ml/s, it settles 
at an steady-state value near —642 ml/s, which is considerably off the true value at 
—20 ml/s. The large estimation error and the large deviation from the nominal case 
are visible in the estimation error \\e\\ and the difference state \\xa\\ on the two lower 
axes. 
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While linear methods are adequate for the system of tanks if staying near the 



equilibrium of linearisation (see, for example, n!71[ 17751/ ). this example shows that 
the linear methods are not sufficient when the system deviates considerably from an 
equilibrium, as it is the case in this startup procedure. This example emphasises the 
need for reconfiguration methods that provide global stability and tracking on the 
entire state-space. Such methods are presented in the next two chapters. 



9.4 Specific Reconfiguration Problems 

The reconfiguration block ( 13.211 1 is a PWA system consisting of a PWA virtual ac- 
tuator and a PWA virtual sensor. It can be written in the general form 

'(■(t) = Ari&f) + a ri + B r u c it) + E,-y f (t) for g(t) e A ri , i e {1, . . . , r r ) 
E R : | u f (t) = Crf(t) + D r u c (t) (9. 12) 

y c (t) = G r y f (t) + F r £(t) 

£(0) = ft 

and its state £(f) e 1R has twice the number of states as the nominal and the faulty 
plant. The reconfiguration block is connected to the faulty plant ( 19.71 ) through their 
common signals Uf and yf as well as to the nominal controller ( 19.61 1 through the 
common variable u c and the interconnection y{t) - y c (f). The reconfiguration block 
state £, resides in a state space that is partitioned into a collection of polyhedra Ah, 
i e {1, . . . ,/>}, whose union covers its entire state space: \J' = \ Ari - R 2 "- The mode of 
the reconfiguration block is determined exclusively by means of its state £ and the 
polyhedra A,-/, ie {l,...,r r }. From a control point of view, it is of interest to at least 
recover the ISS property for the reconfigured closed-loop system ( 19.61 1, ( 19.71 1, ( 19.121 ). 
More precisely, the following problems are solved in this part. 

Problem 9.1 (Stability recovery for PWA systems). Consider the nominal con- 
troller d9.6l ). the nominal PWA system (19.1b . and the faulty PWA system ( 19.7b . Find 
a reconfiguration block Er of the form (19.12b such that 

VE C : {(E P ,E C ) ISS w.r.t. (r,d)) => {(E Pf ,Z R ,E c ) ISS w.r.t. (r,d)). 

This problem concerns the stability recovery. The following problem extends the 
scope to setpoint tracking recovery. 

Problem 9.2 (Stable asymptotic setpoint tracking recovery for PWA systems). 

Consider the nominal controller ( 19.61 ). the nominal PWA system d9.lt , and the faulty 
PWA system (19. 7t . Find a reconfiguration block Er of the form (19.12t such that 

VE C : {(Ep,E c ) ISS w.r.t. (r,d)} => {{E Pf ,E R ,E c ) ISS w.r.t. (r,d)}, 

and such that for constant disturbances d(t) = dp(t), d e IR^, constant reference in- 
puts tit) = fp(i), r € W, and for all x G K", x c0 e R" c , &> 6 K*', it holds that 



154 9 Control Reconfiguration Problem for Piecewise Affine Systems 



Uimsup\\r(t)-z(t)\\ < K \=> \limmp\\r(t)-Zf(t)\\ < K 

The solutions to Problem |9. II and Problem 19.21 are given in Chapter ITOl and Chap- 
ter Qj] respectively. The stability recovery for PWA system s was first described in 
116911 . The tracking recovery methods was first described in I170II . 

9.5 Bibliographic Notes on Piecewise Affine Systems 

Piecewise affine systems are defined based on partitions of the state-space into 
polyhedra. In every polyhedron, the system is governed by a distinct affine (lin- 
ear with offset) system equation. The motivation for studying PWA systems is at 
least twofold. Firstly, PWA systems are receiving wide attention due to the fact 
that the PWA framework initiated in 119711 provides a way to describe dynamical 
systems exhibiting switching between a multitude of linear dynamical regimes, see 



also B35LI90H . The switching can be due to piecewise-linear characteristics such as 
dead-zone, saturation, hysteresis or relays. Secondly, PWA systems may result from 
piecewise linear approximations of complex nonlinear dynamics |90[]. Finally, it 
has been shown in the discrete-time case that PWA systems are equivalent to other 
hybrid system models, such as mixed logical dynamical models, and linear comple- 
mentarity systems under mild well-posedne ss ass umptions [74]. General overviews 
of hybrid systems theory are available in J68llll8ll . A good survey of switched linear 



systems is given in 111 0511 



It has been recognised that many standard control-related analysis and synthesis 
problems for PWA systems are hard, in fact many of them are undecidable from 



a computer science point of view [24] in the general case. Therefore, special sub- 
classes of PWA systems are frequently considered in the literature on stabilisation, 
state observation, and performance analysis of piecewise affine systems. On the 
other hand, general results for PWA systems tend to be conservative. 

Identification methods for PWA models of dynamical systems has been studied 



based on a variety of ideas, an overview of which is available in 19211 . In bounded- 
error techniques ideas from estimating a PWA autoregressive (PWARX) are com- 
bined with set-membership identification such that the satisfaction of a prescribed 
identification error bound is guaranteed B14II . A clustering technique for the mea- 
sured data is used for PWARX model identification 15611. If the number of dis- 



crete modes are known a-priori, the identification task becomes easier 113511 . Both 



the polyhe dral state-space partition and the data of the PWARX model are esti- 



mated. In [ 1370 . the clustering step is facilitated by the introduction of a Gaussian 
mixture model and support vector classifiers for estimating boundary hyperplanes, 
which allows estimating the number of polyhedra required to represent the PWA 
mo del. An identification technique using PWA basis function models is described 
in 122011 . In the Bayesian approach, the system parameters are treated as random 
variables whose probability density functions are iteratively updated based on the 
available measurements [95]. An algebraic technique that is provably correct in 



the noiseless case is described in 121511 . A mixed-integer optimisation technique is 
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available in IU82H . A relaxation of mixed-integer formulations int o no nlinear non- 
convex continuous-variable optimisation problems is described in B136I1 . 

Stability analysis and controller synthesis techniques based on piec ewise 



quadratic Lyap unov functions are described for the continuous-time case in 116511 



(see also [231]) and for the discrete-time case in B54I1 . Verification and reachabil 



ity analysis and verification of discrete-time PWA systems is studied in [15]. Op 



timal control of discrete-time PWA systems with polyhedral performance indices 



was studied in H 1 111 . An //«, optimal affine s tate-f eedback control design has been 



proposed for uncertain PWA slab systems in H lOOil and for piecewise linear systems 



in B53II . In these methods, the state must be completely measurable and controller 
gains are scheduled based on the state. While these approaches reduce the conser- 
vatism associated with quadratic stability based on common Lyapunov functions, 
they are not applicable for the purposes of this monograph, because the state of the 
system is here assumed to be not completely measurable. An //«, output-feedback 
control synthesis procedure is described in (20], which is based on dissipativity, 
storage functions, and common quadratric Lyapunov functions. The control prob- 
le m for hybr id systems has been formulated as a mixed-integer quadratic program 



in 1132U133I1 . Model predictive control of continuous-time PWA systems was stud- 
ied in 119211 . leading to a nonlinear nonconvex optimisation problem, and in [139] 
based on a receding-horizon technique with terminal cost and terminal set. Slightly 
outside the area of PWA systems, but closely related, are model predictive control 
techniques for nonlinear systems, e.g. 19911 . 

Observer design for PWA system has been studied by several authors, and state 
observation for PWA systems is particularly difficult if the discrete mode is not 
known. The observability of discrete-time PWA systems was studied in I13I1 . where 
it was shown that standard linear observability notions valid for each mode dynam- 
ics do not necessarily carry over to the PWA system. The case where the discrete 
mode is known is studied in [4]. Inference of the unknown discrete mode from dis- 
crete inputs and outputs was studied in (lOfl. The more challenging case of unknown 
discrete mode is studied for bimodal systems in [93] both for continuous and dis- 
continuous dynamics. A moving-horizon state estimation scheme was proposed in 



1 5511 . which is computationally demanding because a mixed-integer quadratic pro- 
gram has to be solved on line. For the general multimode case with unknown modes, 
common quadratic Lyapunov functions are the basis of presently available observer 
design methods 1228H . Observer-based control has been studied in B75U94L 122811 . 

Similar to Hammerstein- Wiener systems, piecewise affine systems are practically 
very relevant, their control is nontrivial, and reconfigurable control of multimode 
PWA systems has been studied only by means of model predictive control tech- 
niques to the author's knowledge. Initial ideas for the fault diagnosis and control 
reconfiguration of bimodal piecewise affine systems with respect to stability recov- 



ery are reported in [138]. Necessary and sufficient reconfigurability conditions are 
likewise not to be expected and not achieved in this monograph. However, suffi- 
cient stabilisability conditions are provided in this monograph along with synthesis 
algorithms for recovering the nominal closed-loop stability and tracking properties. 



Chapter 10 

Stability Recovery after Actuator and Sensor 

Faults in Piecewise Affine Systems 



Abstract. This chapter presents a reconfigurable control solution for piecewise 
affine systems subject to combined actuator and sensor faults based on the fault- 
hiding idea. The approach recovers the input-to-state stability property for the re- 
configured closed-loop system, and it is shown to be robust against uncertainties in 
the piecewise affine model of the faulty plant. 



10.1 Piecewise Affine Virtual Actuator and Virtual Sensor 

For the combined occurrence of actuator faults and sensor faults (a/j + a,, Bf + B, 
Cf + C), the reconfiguration block Er defined in Equation ( 19.12b is realised by the 
interconnection of a piecewise affine virtual sensor E$ an d a piecewise affine virtual 
actuator E\, which are defined as follows (Fig. 1 10. ft . 



Definition 10.1 (Piecewise affine virtual sensor). The piecewise affine virtual 


sensor is the dynamical system 




kf{t) - (A, - LCf)xf(t) + o/,i + BfUf(t) + Lyf(t) for jtf(t) € A,-, 


3s:| 


ie{l,...,r} 




yc«) =y f (t) + (C-Cf)x f (t) 


(10.1) 


with the initial condition Xf(Q) = Jt/o- o 



The PWA virtual sensor contains a model of the faulty plant ( 19.71 ) augmented by 
output error injection. Its mode i is completely determined based on the virtual sen- 
sor state Xf and requires no information about the mode of the observed faulty PWA 
system. 
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Definition 10.2 (Piecewise affine virtual actuator). The piecewise affine vir- 
tual actuator is the dynamical system 



Za: 



x(t) - AjX(t) + a] + Bu c (t) for x(t) <eAj, j 6 {1, . . .,r\ 

yAt) =y c (t) + Cx A (t) (10.2) 

Uf(t) = MXA(t) + B + f dAJ 



with the initial condition Jc(0) = x/o, where Xj(t) - x(t)-Xf(t) is in accordance 
with Equation (13.35b . and where 

BAj-aj-a/j (10.3) 

is the difference between nominal and faulty affine terms. o 



The reconfiguration block Er - (E$ ,Ea) contains a PWA virtual sensor ( 110.1b with 
the state Xf(t) at time t, and a PWA virtual actuator (110.2b with the state x(t) at 
time t. The PWA virtual sensor ( 110. lb contains an observer for the faulty plant Epf. 
The PWA virtual actuator dlO.21 ) contains a reference model for the desired (fault- 
free) plant behavior Ep, and feedback to stabilise the faulty plant. The reconfigu- 
ration block J9T21 is initialised with £(0) = (x f (0) T , x(0) T ) T = ft = (x T f0 , x T fQ ) T 
(Fig. 110. ft . In other words, the PWA virtual sensor Es an d the PWA virtual actuator 
Ea are initialised at equal values at reconfiguration time t — 0. 

Note that the reconfiguration block defined by the PWA virtual sensor and the 
PWA virtual actuator satisfies almost all inactivity conditions ( 13.22b . ( 13.231 ) prior 
to reconfiguration time, where C/ = C and Bf = B, and conseqently y c - yf and 
y c - y/. Furthermore, ajj - holds prior to faults. The further inactivity condition 
Uf = u c must be enforced separately before the appearance of faults. 

The affine input Btajj compensates the bias introduced by the difference be- 
tween the affine terms of the nominal and the faulty plant, which arises, for ex- 
ample, from blocking actuators as discussed before. Consider now the blockage of 
some actuators whose column indices in the matrix B are collected in the set J. 
In accordance with Equation ( 19.8b , the difference (110.3b between the nominal and 
faulty affine term 



= J]hu k (10.4) 



a A 

kej 

is mode-independent. The desired compensation is successful if and only if Condi- 
tion ( 19.9b is satisfied, which is true by Assumption |9.5l 

The observation error system E e and difference system E A are governed by the 
following differential equations, which are easily obtained from the definitions of 
e (Equation d3.39b ) and x A (Equation ( 13.35b ) as well as from Assumption 19.51 by 
means of straightforward calculations: 



10. 1 Piecewise Affine Virtual Actuator and Virtual Sensor 
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Fig. 10.1 PWA virtual actuator and virtual sensor for stability recovery after the combined 
occurrence of actuator and sensor faults. 



E e : \e(f) = k e (x f (t) + e(t)) - k e (x f (t)) - B d d(t) 

where k e {%) = (A; -LC/)£ + «/,,-, £ e A«, je {1 r}, 

-^ : {*A(t) = k A (x(t)) - k A (x(t) - x A (t)) + LC f e(t) + Bu c (t) 
where ^(17) = (A 7 -B/M)j/ + a/j, rjeAj, je{l,...,r}. 



(10.5) 
(10.6) 
(10.7) 
(10.8) 



Assumption ^. 5| is only needed to rearrange the difference system in the form dl0.71 >. 
the observation error ( 110.5b does not depend on that assumption. The PWA virtual 
actuator may be interpreted as an approach to match the reconfigured plant behavior 
to the nominal plant behavior. The feedback gains L e R" x<? and M e R" x " will be 
designed to stabilise the observation error e as well as the difference system state 

XA- 

It is first shown that the reconfiguration block dlO.ll l. (110.2b in combination with 
the faulty plant (19.7b satisfies the weak fault-hiding goal. 
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Lemma 10.1 (Weak fault-hiding). The reconfigured plant Zp r = {Epf,Es,^A) 
formed by the faulty PWA plant A9.7J . the PWA virtual sensor ( I70.il ), and the PWA 
virtual actuator ( I-Z0.2D satisfies the weak fault-hiding goal. 



Proof. Based on Assumption 19.51 the model of the reconfigured plant is given by 
the equations (index /' defined by x (t) e Aj) 



(m) 




' 


Aj 


x(t) + aj 








B 




0^ 


e(t) 


= 


k e (x(t) - x A (t)) - k e (x(t) - x A (t) - e(t)) 


+ 





u c (t) - 


B d 


jaOX 




k k A (x(t)) - k A (x(t) - x A (t)) + LC f e(t) 




w 




L o J 


(m) 


( x(0) ) 


( % 1 








y c (i)=(C-C f 0) 


e(t) 


, 


c(0) 


= 


XfO - Xq 














,x A (t\ 




x A (0)) 




1 o J 











d(t), (10.9) 



(10.10) 



This model shows that the dynamical equation for the reference state jc is decoupled 
from the observation error e and the difference state x A . The output y c depends on 
Jc and e, where the observation error e is autonomous with respect to the control 
input u c and only driven by the disturbance d. Weak fault hiding (Definition [53| is 
achieved by the matching initialisation Jc/o = xq, and the nominal I/O behaviour is 
recovered for d = 0. ■ 

The matching initialisation x/o = xq is in general practically not achievable, because 
the initial condition xq is often not completely measurable. Furthermore, the distur- 
bance does not appear in the output y c . However, the stability recovering solution 
to Problem 19.11 described in the next section is also achieved for inaccurate ini- 
tialisation and mismatch in the disturbance behaviour. Two ways of approximately 
matching initialisation are opened by running the PWA virtual sensor based on the 
nominal PWA model ( 19.lt before the appearance of the fault. 

1. If the combined diagnosis and reconfiguration delay is small with respect to 
the plant time constants, then the error made by initialising with the last state 
estimate will be small. 

2. If the diagnosis delay is large, then it is useful to first design and update the PWA 
virtual sensor, wait for convergence of the observation error for a sufficiently 
long period of time, and to finally update and initialize the PWA virtual actuator 
with the virtual sensor state valid at that time. 

The following section presents the main stability result and associated synthesis 
methods for the PWA virtual sensor and the PWA virtual actuator. 



10.2 Main Stability Result 



In this section, the solution to Problem [9.1| is given. Namely, sufficient conditions for 
the global ISS properties of the observation error and difference system are provided 
in two lemmas, and it is shown that these conditions also imply the global ISS of 
the reconfigured closed-loop system. 
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Lemma 10.2 (Input-to-state stability of the observation error). Consider the 
faulty PWA system A9.7\) , and suppose that Assumption \9~4\ holds. If there exist ma- 
trices X s € R nx ", X s = X T S > 0, and Y s e E" x « that satisfy the LMIs 

X s Aj + A]X s -Y s C f -C T f Yj <0, j = l,. ...r, (10.11) 

then the system MO. 11 with the gain L = Xj Y s is an observer for the faulty 
system ( 19.71 ) with 0-GES error dynamics for d = 0. The observation error ( I 3. 391 ) 
satisfies the dynamics ( 170.51 ), ( 170.61 ), and all solutions e(t) of the undisturbed 
system ( 170.51 ), ( 170.61 ) satisfy the relation 

IK?)||<ce- af IK0)||,f6[0,oo), (10.12) 

where the real numbers c > arc<7 a > depend only on X s and Y s . Furthermore, 
the observation error ( 170.51 ) is ISS w.r.t. the disturbance input d. 



Proo f. The case without disturbance is equivalent to the case considered in [158., 



22811 . Note that the function dlO.61 ) is continuous in its arguments by construction. 



To show ISS of the error dynamics (110. 5b . dl0.6l ) w.r.t. the disturbance input d, an 
ISS-Lyapunov function V(e) - \e T Xe is constructed. By using Theorem 19.11 while 
observing that the error dynamics ( 110.5b . ( 110.6b is continuous, one directly obtains 
for some a > 0, b > 0, 6 e (0, 1) that 

V(e) = e T Xe = e T X(k e (x f + e)- k e (x f ) - B d d) 
<-ae T Xe-e T XB d d 

<-b\\e\\ 2 + \\e\\-\\XB d \\-\\d\\ 

= -{\-e)b\\e\\ 2 -8b\\e\\ 2 + \\e\\-\\XB d \\-\\d\\ 

<-(l- W | e || 2 if|| C ||>HLl|M|| d ||, 

6b 



which is a Lyapunov characterisation of the ISS property 119 

Lemma 10.3 (Input-to-state stability of the difference system). Consider the 
faulty PWA system A9.7\) and suppose that Assumvtions \9.5\ and \9.4\ hold. If there 
exist matrices X a e R" x ", X a - X T a > 0, and Y a e R mx " that satisfy the LMIs 

AiXa+XaA] -B f Y a -YlB T f <0, i=l,...,r, (10.13) 

then the difference system ( 170.71 ), ( I70.SI ) of the virtual actuator ( 170.21 ) with the gain 
M = Y a X~ is 0-GES for u c ,e = 0. In other words, every solution x^(f) of the un- 
forced difference system ( 170.71 ), ( 170. SI ) (i.e. u c ,e = 0) satisfies the relation 

\\x A (t)\\ < Ce -"'||^(0)||, 1 6 [0, oo), (10.14) 

where the real numbers c > and a > depend only on X a and Y a . Furthermore, 
the difference system ( 170.71 ) is ISS w.r.t. the input (u c ,e). 
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Proof. Observing that the difference system ( 110.71 ). (110.8b is continuous by con- 
struction, it is globally exponentially stable for u c (t) - e(t) — by Theorem l9.1l and 
ISS w.r.t. its input (u c ,e) if the condition 

X(Aj - B f M) + (Aj - B f M) T X < 0, X = X T > 

is satisfied for all j = 1 , . . . , r, which is equivalent to Condition d 10. 131 ) after pre- 
and postmultiplication with X~ y , reordering, and linearising changes of variables 
X a = X~ l and Y a = MX a . The exponential decay rate of the initial state follows from 
Theorem 19. II It is now explicitly shown that the difference system is indeed ISS 



w.r.t. (u c ,e). Consider the quadratic function V(xa) = jX^Pxa- Using Theorem l9.ll 
its derivative along solutions of (110,711 . (110.811 satisfies 

V{xa) - x^Pyk^ix) - kd(x - xa) + LC/e + BuA 
< -ax T A PxA + x T A PLCfe + x T A PBu c , 

where a > is a constant. This inequality is readily transformed into a Lyapunov 
characterisation of ISS (see the proof of Lemma [l0.2l ). and consequently the differ- 
ence system 110.71 . dlO.81 ) is ISS w.r.t. the input (u c ,e). m 

Combining Lemma [10. II Lemma [l0.2l and Lemma [l0.3l the main result that solves 
Problem [9.1| is presented. Its proof is technical and available in the appendix. 



Theorem 10.1 (Reconfigured closed-loop stability recovery). Suppose that 
the Assumptions 19.71 19.21 19.51 and \9.4\ are satisfied, and suppose that the 
LMIs MO. Ill and ( 170.751 ) are feasible. Then, the reconfigured closed-loop 
system (Epf -,Es,Ea, Eq) consisting of the faulty PWA system ( 19.71 ). the con- 
troller ( 19.61 ), the PWA virtual sensor ( 170.71 ). and the PWA virtual actuator ( 170.21 ) 
is globally ISS w.r.t. the input (r,d). 



Proof. See Appendix iDl page [265] 

Remark 10.1 (Role of fault-hiding). The obtained stability results do not depend on 
the accuracy of the guessed initial conditions. In other words, the results are valid 
whether or not the initial condition of the reconfiguration block satisfies Jc/o = xq and 
Jco = Xo, as it is clear from the proof of Theorem [ToTT] by considering that j£fo only 
affects e(0). The relevance of the weak fault-hiding goal (Lemma llO.U consists in 
re-introducing the nominal closed-loop dynamics into the reconfigured closed-loop 
system, see the proof of Theorem llO.il o 



Remark 10.2 (Non-compensable actuator blockage). Assumption [93] can be easily 
relaxed as follows. In the case where the actuator blockage cannot be compensated, 
the difference system dl0.7l l is augmented by an added term Sa '■ Xa(0 - k^(S(ff) - 
k A (x(t) - x A (t)) + LC/e{t) + Bu c {t) + (I- BfBt)aAg(t) where g(t) - 1, which acts 
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like a constant additive input to the difference system. The difference system is thus 
also ISS with respect to a new fictitious input g that acts on the difference system 
through the structure (I - BfBt)dA, to which a constant input g(t) - 1 is applied. 
This implies that the system is input-to-state practically stable (ISpS) w.r.t. the input 
(r, d) in the sense that convergence to a neighbourhood of the origin is achieved in 
the absence of further inputs, instead of convergence to the origin. The size of the 
achieved set depends on the gain from the input g to the state xa ■ ° 

The design procedure of the reconfiguration block for achieving stability recovery 
is summarised in Algorithm llO.il The steps 1-4 describe the nominal closed-loop 
operation before any faults occur. Note that the guessed initial condition X/(to) is 
not required to be accurate. Once faults are detected in step 5, the virtual sensor 
and virtual actuator design activates in steps 6-11, where the gains L and M are 
determined. After the gain calculations are finished, the reconfigured closed-loop 
system is executed in step 12, starting at reconfiguration time t — 0. 



Algorithm 10.1. Stability recovering PWA virtual sensor and virtual actuator 
synthesis 

Require: PWA plant model A,-, a,, B, C, i e {l,...,r}, initial time fo < 0, guessed 

initial condition x/o 

1: Initialise the nominal closed-loop system ( 19. II ), d9. 6I ), (110. lb . (110.2b . with Cf - 

C, B f = B, a f j = a,, L - 0, M - 0, x(t ) = xq, x c (t ) = x c o, */Oo) = x/o, x(t ) = 

x/o. Set the virtual actuator inactive by setting U/(t) - u c {t). 

2: Solve the LMI dlO.llb with Cf = C and compute a stabilising virtual sensor 

gain L = X~ l Y s , update PWA virtual sensor dlO.ll ) 
3: repeat 

4: Run nominal closed-loop system 
5: until actuator or sensor fault / detected and isolated 

6: Construct fault model afj, Bf, Cf and update the PWA virtual sensor (110. lb 
and the PWA virtual actuator ( 110.2b 
Solve the LMIs (fTOTTt and (fTOBb for X s , Y s , X a , Y a 
Compute L = X~ l Y s and M = Y a X~ l 
9: Update the PWA virtual sensor dlO.lb with L 
10: Wait for PWA virtual sensor to converge for specified time interval 
1 1 : Update and activate the PWA virtual actuator d!0.2b with M and initialise x (0) = 

*/(0) 

12: Run reconfigured closed-loop system d9.7b . d9.6b . dlO.lb . d 10.2b 
Result: Globally ISS reconfigured closed-loop system. 



Example 10.1 (Stability recovering PWA virtual sensor and actuator synthesis 
for the two-tank system). A PWA virtual sensor and a PWA virtual actuator are 
designed for the two-tank system in order to reconfigure the closed-loop system after 
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the occurrence of the sensor fault f s and the valves failure f a \ and degradation f a i 
in order to recover closed-loop stability. 

The response of the tanks model subject to these faults is shown in Fig. 170.21 The 
sensor for the level h\ fails at tf s — 40 s, whereas the lower valve fails at tf a \ — 
20 s and the upper valve degrades at tf a 2 — 35 s. Due to the reconfiguration, it can 
be seen that the system states (solid in upper two axes) are stable and stay close 
to the reference trajectories (dashed in upper two axes). However, the disturbance 
appearing at t — 65 s prevents exact tracking (5th axis from above), since it causes 
an offset in the state estimate inside the virtual sensor. It can be seen that the PWA 
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Fig. 10.2 Response of reconfigured closed-loop tanks system based on stabilising PWA vir- 
tual sensor and stabilising PWA virtual actuator with periodic reference input. 



10.3 Reconfigurability Considerations 165 

virtual sensor and the PWA plant are in different modes frequently and for extended 
periods of time. The PWA virtual actuator compensates the blocked lower valve 
by moving the upper valve to a compensating offset position. Although closed-loop 
stability is recovered, the result is not yet satisfactory since the tracking property is 
not recovered. In particular, there remains a steady-state offset between reference 
and true output for the level h\, and the signal hi is lagging behind its reference 
signal r%, 

10.3 Reconfigurability Considerations 

In the linear case, the conditions d 10. 1 lb and (110.131 ) reduce to standard Lyapunov 
inequalities, which have feasible solutions if and only if the pairs (Cf,A) and 
(A,Bf) are detectable and stabilisable, respectively. In the linear case, the exis- 
tence of a quadratic Lyapunov function for the faulty system is hence necessary 
and sufficient for its stabilisability. In the case of PWA systems, the LMIs dlO.111 ) 
and ( 110.13b represent common quadratic Lyapunov functions for the PWA observa- 
tion error and the PWA difference system. This relationship is emphasised by the 
fact that the gains L and M are not mode-dependent. It is known that not every 
stabilisable PWA system admits a common quadratic Lyapunov function [90]. 

If the relevant LMIs are infeasible, then a stabilising PWA virtual sensor and 
PWA virtual actuator scheme might exist, but it cannot be found using the sufficient 
stability conditions presented in this chapter. This problem appears to be fundamen- 
tally unavoidable, since the problem of deciding whether all trajectories of a given 
PWA system are bounded is undecidable B2411 . 

At first glance, it might seem that a reduction of this conservatism is achievable 
by seeking continuous piecewise q uadr atic Lyapunov functions instead of common 



quadratic Lyapunov functions 191LI105I1 . However, in those works, sufficient condi- 
tions for stability (and stabilisation) in terms of the existence of piecewise quadratic 
Lyapunov functions have been obtained for equilibria of PWA systems (all solutions 
converging to the origin). In the approach presented in this chapter, the stability of 
time-varying solutions of certain PWA systems is required (such as the observation 
error and difference systems), and such stability properties are studied using the con- 
cepts of convergence/incremental stability. No such characterisation of incremental 
stability or convergence for PWA systems in terms of piecewise quadratic Lyapunov 
functions exists to date to the knowledge of the author. 

Suppose that, nevertheless, a piecewise quadratic Lyapunov function and associ- 
ated mode-dependent gains L,- and M,- exist. The implementation in the case of the 
virtual actuator requires 

1 . knowledge of x and Xf (which is not problematic), in order to 

2. schedule the gain M,- depending on both x and ftf, therefore the number of 
possible gains is r 2 , if r denotes the number of polyhedra covering the state 
space. 
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In the case of the virtual sensor, which is essentially an observer, the same con- 
siderations hold. Aspect 1 is a severe problem in this case, since the plant state is 
unknown, and the difficulty in observer design for piecewise affine systems consists 
in the need to stabilise every possible mixed mode of the observation error. Suffi- 
cient stability conditions that are less conservative than those of Lemma [l0.2l have 
so far only been found for certain special cases, such as bimodal systems [94]. 

10.4 Robustness against Piecewise Affine Model Uncertainties 

In the previous sections, it has been assumed that the faulty plant, the PWA virtual 
sensor, and the PWA virtual actuator are PWA systems. The motivation for studying 
this class of systems arises, however, from their ability to well approximate input- 
affine nonlinear systems. In reality, the faulty system is more accurately represented 
by a nonlinear model, whereas the reconfiguration blocks are implemented based on 
a PWA system model. The question arises how robust the reconfiguration scheme is 
against approximation errors of the PWA model. These properties of the closed-loop 
reconfiguration scheme are studied in this section, answering the question about the 
robustness of this reconfiguration scheme. 

For the analysis, assume that the faulty nonlinear system is an input-affine system 
of the form 

Zp/jfL ■ {*/« = /(*/(*)) + BfU f (t) + B d d(t), (10. 15) 

whereas the PWA virtual sensor ( 110. U is based on the PWA model 

Epf : \xf(t) = AiXf(t) + a/j + BfU/(t) for Xf(t) € A,-, i e {1, . . . , r}. 
The difference between the input-affine model and the PWA model, 

e(x/)= f(x/)- AjXf-afj + Bdd for Xf eAj, ie {1,. ..,/•}, (10.16) 

consists of two parts: the term f(Xf) - AjXf - a/j represents the nonlinear approx- 
imation error, whereas the term B^d represents the omitted disturbance influence, 
since the disturbance is generally not available for measurement. Using the model 
error (110.16b , the input-affine system ( 110.15b is re-written as a perturbed PWA model 

Zpf,NL ■ [xf(t) = AiXf(i) + a/,i + BfUf(t) + e(xf(t)) for x f (t) e At, i e {1, . . . , r}. 

Suppose that the model approximation error is globally bounded for vanishing dis- 
turbance: 

Sxf e R" : ||e(x/)|| < E for d = 0. 

This assumption is usually satisfied, and input-affine systems with constant input 
gain can be approximated by the class of PWA models ( 19. U to arbitrary precision 



10.5 Duality between Piecewise Affine Virtual Sensor 167 



19011 . Including the modelling error into the observation error dlO.51 ) leads to the new 
dynamics for the observation error and the difference system 



(10.17) 



E e : e(t) = k e (x f (t) + e(t)) - k e (x f (t)) + (B d i) f® ^ 

where fc e (£> - (A; - LC f )$ + a fJ , f £ A u i e {1, . . . , r), 
E A : [x A (t) = k A (x(t)) - k A (x(t) - x A {t)) + LC f e(t) + Bu c (t) 
where k A (ij) = (A j-BfM)i] + a / j, r\ € Aj, je {l,...,r}. 

Note that the difference system S A does not change. The only influence of the mod- 
elling error is on the observation error system E e . The following result is obtained. 



Theorem 10.2 (Robust PWA virtual sensor and PWA virtual actuator). The 

observation error \10.17\ is ISpS w.r.t. the disturbance d. The reconfigured 
closed-loop system (Epf,NL,Es ^A,^c) is ISpS with respect to the input (r,d). 



Proof. See Appendix iDl page !267l 

The ISpS property still implies that all system states remain bounded for bounded 
reference and disturbance inputs. However, for zero references and zero disturbance, 
the system states do not converge to the origin any longer, but to a spherical neigh- 
borhood of the origin whose radius depends on the magnitude of the model uncer- 
tainties. If additional well-behavedness of solutions inside that ball were needed, 
then an supplementary small-gain condition would be needed for the feedback in- 
terconnection of the observation error and the model uncertainties. 

This result implies that the reconfiguration scheme based on PWA system models 
may be used with nonlinear systems approximated by the PWA model. The model 
uncertainties cause variation of the state whose bound is proportional to the model 
approximation error. Due to the observability of the observation error from the out- 
put y c , the controller may reject the disturbance induced by the modelling error. 
This is shown by means of the example in the next chapter, where the recovery of 
closed-loop tracking is pursued. 



10.5 Duality between Piecewise Affine Virtual Sensor and 
Piecewise Affine Virtual Actuator 

The PWA virtual sensor Eg an d me PWA virtual actuator Ea are dual systems in the 
following sense. 
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Theorem 10.3 (Duality between the PWA virtual sensor and the PWA vir- 
tual actuator). Any solution L to the PWA virtual sensor design problem for 
the pair (Cf,Aj) also parameterises a corresponding solution M to the PWA 
virtual actuator design problem for the pair (Ai,Bf) = (A T ,Cy). The solutions 

L and M are linked by means of the relation L — M T . 



Proof. See Appendix IT31 page !268l 

This result implies that the duality property linking the linear virtual sensor to the 
linear virtual actuator is also true in the case of PWA systems. The result holds in 
the sense that an approach for obtaining suitable gains for one system can be used 
to obtain suitable gains of the other system. 



10.6 Summary and Discussion 

This chapter has provided a solution to the stability recovery problem after actuator 
and sensor faults in PWA systems, where the faults are modelled as changed input 
and output matrices and a changed affine term. The fault model can represent actu- 
ators that are blocked in arbitrary positions. The solution consists of a PWA virtual 
sensor and a PWA virtual actuator that are generalisations of their linear counter- 
parts. As in the linear case, the fault-hiding property is a consequence of the internal 
structures of the PWA virtual sensor and the PWA virtual actuator (Lemma llO.ll l. 
Further properties, such as stability, depend on the choice of their free parameters. 

The main result is a set of sufficient conditions for reconfigured closed-loop 1SS 
given in LMI form (Theorem 1 10. lb . A necessary and sufficient condition ( 19.9b for 
the possibility of compensating stuck actuators was previously given. The condi- 
tions are also used to formulate a procedure for determining the gains of the PWA 
virtual sensor and the PWA virtual actuator (Algorithm 1 10. lb . Although the con- 
ditions are sufficient but not necessary, they provide useful solutions in numerous 
practical cases. With respect to the requirements stated in Chapter [T31 the method is 
suitable for autonomous online application. Given the current computational power, 
it is numerically applicable to small- and medium-size problems. Furthermore, the 
method is robust against uncertainties of the PWA model approximating the plant 
dynamics (Theorem ll0.2l l. The duality found between the design procedures of the 
linear virtual sensor and the linear virtual actuator extends to their PWA counterparts 
(Theorem[ia3j. 

The following chapter extends the approach taken in this chapter from stability 
recovery to tracking recovery. 



Chapter 11 

Setpoint Tracking Recovery after Actuator and 

Sensor Faults in Piecewise Affine Systems 



Abstract. This chapter extends the stability recovery approach to the reconfigurable 
control of piecewise affine systems towards the tracking recovery for constant ref- 
erence inputs in the presence of constant disturbances. The extensions are based 
on internal models of the reference and disturbance signals and on the convergence 
property. The reconfiguration scheme is shown to be robust against uncertainties in 
the piecewise affine model of the faulty plant, against time-varying disturbances, 
and against uncertainties in the fault diagnosis result. 



11.1 Rej ection of Measured Disturbances 



In this chapter, Problem [9. 21 is solved. In other words, the question is addressed how 
to ensure that the reconfigured closed-loop system {Epf,Es^A,^c) tracks constant 
reference inputs r in the presence of constant disturbances with stable dynamics. It 
is assumed for the remainder of this chapter that the nominal closed-loop system 
(£p,Zc) tracks constant reference signals in the sense that Assumption ^. 3| will be a 
standing assumption. 

This section addresses the comparatively easy case where the disturbance signal 
d acting on the faulty system (19.7b is measured. Otherwise, internal-model-based 
extensions of the PWA virtual sensor and the PWA virtual actuator are used as shown 
in Section fT 1 ,2l below. 

The disturbance measurement is used in the PWA virtual sensor (110. lb . which 
changes to the augmented PWA virtual sensor. 



Definition 11.1 (Augmented piecewise affine virtual sensor). The augmented 
piecewise affine virtual sensor is the dynamical system 
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x f (t) = (A; - LC f )x f (t) + a f j + BfUfif) + Ly f it) + B d d(t) 




E s :< 


for jtf€ At, ie[l,...,r) 
Mt) =y f (t) + (C-Cf)x f (t) 


(11.1) 


with the initial condition x/(0) = x/q. 






Consequently, the dynamics ( 110.5b . dlO.61 ) of the observation error changes to 

E e : \e{f) = k e (x f (t) + e(t))-k e (xf(t)), (11.2) 

where the function k e (-) is defined in Equation (110.6b . Hence, the disturbance is 
not an input to the error subsystem E e any longer, and the state estimate is globally 
asymptotically stable for arbitrary disturbances. Since the disturbance is measur- 
able, typically the nominal controller d9.6l > uses the disturbance measurement, i.e. 
u c (t) = Qc(r,y,d,x c o). It is also still assumed that the modified nominal closed- 
loop system satisfies Assumption 19.21 The ^-subsystem of the reconfigured plant 
as written in Equation ( 110.2b . to which the nominal controller Eq is connected, 
does, however, not depend on the disturbance. Therefore, the reference model (110.2b 
is augmented by the disturbance input, leading to the augmented PWA virtual 
actuator. 



Definition 11.2 (Augmented piecewise affine virtual actuator). The aug- 


mented piecewise affine virtual actuator is the dynamical system 




x(t) - Ajx(t) + dj + Bu c {t) + Bdd(t) for x 6 Aj, j 6 {1 r) 


E A ■ ' 


ydt) =y c (t) + Cx A (t) (11.3) 




Uf(t) - MxA{t) + B + f aA,j 


with the initial condition x(0) - jc/o, and where Xj(t) = x(t)-Xf(t) in accor- 


dance with Equation (l3.35b. o 



The modified reconfiguration block Er - (Es,Ea) defined by the equations (111.2b 
and (111.3b is now used in the closed-loop system. In this case, the following result 
is in place. 

Lemma 11.1 (Measured disturbance compensation). Consider the faulty PWA 
system ( 19.71 ). suppose that the disturbance d is measurable, and suppose that As- 
sumption \9. 1 \ and Assumption \9. 4\ hold. If there exist matrices X s € R" x ", X s — X s > 
and Y s e R nxq that satisfy the LMIs UO.lll MO. 131 , then the system Ul.lt with 
the gain L — Xj Y s is an observer for the system \9.7\ with globally exponentially 
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stable observation error dynamics ( 177.21 ). thus all solutions e(t) of the observation 
error ( 177.21 ) satisfy the relation 

\\e(t)\\<ce-"'\\e(0)\lte[0,oc), (11.4) 

where the real numbers c > and a > depend only on the solutions of the 
LMIs ( 170.771 ), ( 170. 731 ). The reconfiguration block ( 177.71 ), ( 177.31 ) satisfies the weak 
fault-hiding goal as well as Equation Ml. 1Tb for arbitrary disturbances. 



Proof. The fault-hiding aspect is immediate from Assumption 19.31 and the proof 
of Lemma 1 10. II The bound ( 111.41 1 follows immediately from the observation error 
dynamics (111.2b and similar reasoning as in the proof of Lemma [10.2l ■ 

In applications, the disturbance is frequently not measured, and furthermore, the 
tracking of constant reference inputs has not been considered yet. These aspects are 
addressed in the following section. 



11.2 Extended Piecewise Affine Virtual Sensor and Extended 
Piecewise Affine Virtual Actuator 

This section investigates the case of unmeasured but constant disturbances. The idea 
consists in the estimation of the disturbance by means of a disturbance observer. The 
constant disturbance is assumed to be generated by a exogenous system defined by 
the equation 

d(t) = 0, rf(0) = do 

with unknown initial condition do- The problem consists in obtaining an estimate 
d of the disturbance d. The estimate d is then used as an input to the PWA virtual 
sensor. This idea leads to the extended PWA virtual sensor. 




Definition 11.3 (Extended piecewise affine virtual sensor). The extended 
piecewise affine virtual sensor is the dynamical system 

St f{t) = (A t - LCf)xf(t) + a f j + BfUfif) + Ly f it) + B d d(t) 

for Jc/€ Ai, ie{l,...,r} 
kt) =L d (y f it)-Cf£fit)) (11 ' 5) 

[M) =Py f it) + iC-PC f )Stfit) 

with the initial conditions x/(0) = Stfo and d(0) -do. o 
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Fig. 11.1 Extended PWA virtual sensor and extended PWA virtual actuator for tracking 
recovery. 



The extended PWA virtual sensor that replaces the PWA virtual sensor ( IIP. lb is 
shown in Fig. 111.11 In addition to the state observation error e defined in Equa- 
tion ( 13.39b . the disturbance observation error e c i is defined as 



e d (t) = d(t) - d(i), e d (0) = do - d . 



(11.6) 



The disturbance estimation error has an initial value that is defined by the distur- 
bance observer initial value do and by the true initial disturbance value do- The gains 
L and h c \ are designed to stabilise the extended system dll.51 ). which is rewritten in 
terms of the extended observation error e and the extended state x 
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as 



S e :[Ht) =k e m)+x(t))-k e (x(t)), (H.8) 

where e(0) = e = (e(0) r e rf (0)) r and 

jjj) = (A,,,- - LC f ) |*J + «/,; for £ 6 A i; i € { 1, . . . , r) (11.9) 

The free parameters L and Lj will be used to stabilise the extended observation 
error e. The free matrix parameter P has no effect on stability and may be used, 
for example, to pass through healthy measurements. Note that the disturbance d is 
not a genuine input to ( 111.81 1. Next, the nulling of the output term C z Xj(f) is ad- 
dressed, which was identified as the second part 1 11 1.1 8b of the translated problem to 
be solved for achieving tracking stated in Lemma [11.31 It is assumed that either the 
disturbance is measured as described in Section [TTTTJ or an extended PWA virtual 
sensor ( 111.5b that also estimates constant disturbances is available so that the first 
subproblem has been solved. 

To address the reference tracking aspect, it is assumed that the reference signal is 
generated by an exogenous system 

r{t) = 0, r(0) = r . 

The PWA virtual actuator is augmented by an internal model of the constant refer- 
ence signal. In other words, integrators with states jc/ e IR 7 ' are added. The number 
of integrators is chosen to match the number of components of the output z. The 
PWA virtual actuator (110.2b is hence replaced by the extended PWA virtual actuator 
defined as follows. 



Definition 11.4 (Extended piecewise affine virtual actuator). The extended 
piecewise affine virtual actuator is the dynamical system 




x(t) = Ajx(t) + dj + Bu c (t) + Bdd(t) for x € Aj, j £ {1, . . . , r] 


Za ■ ' 


X[(t) = C z xj(t) 

(11.11) 
y c (t) =y c {t) + Cx A {t) 




u/(t) = Mx A {t) + Mixi(t) + B + f dAj 


with the initial conditions x(0) = Xfo and jc/(0) = 0, and where x^(f) = x(t) - 
Xf(t) in accordance with Equation d3.35b. o 
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The extended PWA virtual actuator is shown in Fig. 111. ll Using the function 

h (Q) = {Aaj - BfM) (jj) + a fJ for £ e Aj, j 6 {1, . . . , r], (11.12) 

where 



(ci«)- ■«*(V)-*/*(*')- **(-*)■ ai.13) 



and using Assumption 19.51 it is straightforward to obtain the following combined 
dynamics of the extended difference system 




kj 



m 

xi{t) t 



x(t)-x A (t) 




Bu c (t) + LC f e(t) 







(11.14) 



The following Lemma shows that the reconfigured plant obtained with extended 
virtual sensor £$ and the extended virtual actuator^ satisfies the weak fault-hiding 
goal. 

Lemma 11.2 (Weak fault-hiding). The reconfigured plant Ep r = (Epf,E$,EA) 
formed by the faulty PWA plant ( 19. 71 ), the extended PWA virtual sensor ( 177.51 ), and 
the extended PWA virtual actuator ill. lit satisfies the weak fault-hiding goal. 



Proof. Based on Assumption ^. 51 the relevant part of the reconfigured plant model 
is given by the equations (index j determined by x(t) e Aj) 



( m ) 




e(t) 




x A {t) 




\Xl(t)) 





Ajx(t) + aj + B d d(t) 

k e (e(t) + x(t))-k e (x(t)) 

k A (x(t)) - k A (x(i) - x A (tj) + LC f e(t) 

C z x A (t) 



\ 


fB\ 


+ 



B 


/ 


(0) 



u c (t), 



( x(t) > 




( jc(0) > 




(Xffl\ 


eit) 




*(0) 




eo 


x A {t) 


9 


x A {Q) 







\Xl{t)) 




U/(0)J 




v o J 



y c (t) =(C -PC/ 0) 



where k A (g) = (Aj - BfM)^ + a/j for £ e Aj,j e {1, . . . , r}. Weak fault hiding (Defi- 
nition [331 ) is achieved by the matching initialisation jc/,o = *o> ^0 = which implies 
that eo - for d(t) - Vf e R+, and d(t) = 0. The nominal controller is attached to 
the reference system 

Ep : \x(i) - Ajx(t) + aj + Bu c (t) + B d d(t) for x 6 Aj, j e {1, . . . , r) 

governed by nominal dynamics. The reference state x is decoupled from the ob- 
servation error e and the difference state x A for do — since do = 0. The output y c 
depends on x and e, where the observation error e is autonomous, and d = and 
d{Q) = imply that e = 0. ■ 
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The next section reveals how the setpoint tracking recovery problem relates to the 
synthesis of the free parameters of the extended PWA virtual sensor and the ex- 
tended PWA virtual actuator. Finally, a procedure is shown that ensures that the 
disturbance estimate exponentially converges to the true disturbance, and that the 
output of the faulty plant recovers the nominal tracking precision. 



11.3 Transformation of the Problem 

The relevant output z is defined in Equation d9.ll >. It is studied in this section how 
and under which conditions the extensions made in the previous section guaran- 
tee that the corresponding output Zf of the faulty system defined in Equation ( 19.7b 
asymptotically tracks the reference input to the same precision K > as in the no- 
minal case: 

limsup||e z (f)|| = limsup||r(0-Z/(f)ll = limsup||r(f)-C z JC/(OII<^- (11.15) 

T— *co t— >oo t— >oo 

From the definitions ( 13.35b and ( 13.391 ) of the difference state xj and the observation 
error e, one obtains the equivalent goal 

\ims\ip\\e z (t)\\ = \imsup\\r(t)-C z x(t) + C z (xA(t) + e(t))\\<K, (11.16) 



where it is known from Assumption 19.31 that limsup,^^ ||r(?) - C z Jc(?)ll < K, if the 
state x is governed by nominal dynamics. In the previous chapter, it has turned out 
that the observation error e acts on the transformed closed-loop system as a mea- 
surement disturbance entering at the output y c (see the proof of Theorem llO.ll l. It 
is, therefore, sufficient for solving Problem [9.2l that linv_>oo C z (e(t) + X/i(t)) - and 
lim^oo<?(0 = 0. Observing that e and xa are driven by different exogenous inputs 
d and u c of which the first one is generally unknown, achieving the special case 
C z e(po) - -C z xa(°°) is unrealistic in most cases. Therefore, the output C z e will be 
decoupled from d, and C z xa will be decoupled from u c , which leads to the following 
sufficient conditions for solving Problem [9.2l 

Lemma 11.3 (Setpoint tracking recovery for PWA systems). The reconfigured 
closed-loop system recovers the nominal closed-loop tracking precision K if the 
reconfiguration block Er guarantees that the following relations hold for constant 
reference inputs and constant disturbance inputs: 

lime(f) = (11.17) 

t—>CO 

lim C z x A (t) = 0. (11.18) 

t— >co 

For fault scenarios with blocked actuators, tracking will only be achievable if the 
effect of blocked actuators can be compensated. Therefore, Assumption 19.51 still 
holds. 
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The first step consists in asymptotically decoupling the observation error ( 111.17b 
from the disturbance (the case of measurable disturbance signals has already been 
discussed in Section 111. lb . The second step consists in decoupling the output- 
relevant difference system ( 111.18b from the control input. The main result discussed 
in Section fT 1 ,4l consists in at set of sufficient conditions imposed on the parameters 
of the extended PWA virtual actuator and extended PWA virtual sensor that guar- 
antee both the reconfigured closed-loop ISS property and the tracking of constant 
setpoints in the presence of constant disturbances. The reconfiguration scheme is 
robust against inaccurate models of the faulty plant and time-varying disturbances, 
as shown in Section fT 1.51 Furthermore, robustness against uncertainties in the fault 
diagnosis result is shown in Section [1 1 .61 The extended PWA virtual sensor and 
the extended PWA virtual actuator are dual systems as shown in Section fT 1.71 The 
chapter is summarised in Section fT 1.81 

11.4 Main Stability and Tracking Result 



This section provides the solution to Problem f9.2l based on the extended PWA virtual 
sensor £$ and the extended PWA virtual actuator Sa defined in the previous section. 

Lemma 11.4 (Global exponential stability of the extended observation error). 

Consider the faulty PWA system A9.7t . suppose that Assumptions \9.1\ and \9.4\ hold, 
and assume that the disturbance is constant (d(t) — 0). If there exist matrices X s € 

R (n+k)x(n + k) t ^ = %T > q md f s g R (n+k)x(q + k) thaf ^^ {he lMh 



XsAej + A'^Xs-YsCf-CfYl <0, i=l,...,r, (11.19) 

then the system ( 177.51 ) with the gain L = X~ l Y s is a state and disturbance observer 
for the faulty system ( 19. 7\ . All solutions e of the extended observation error system 
defined in Equation ( 177.71 ) satisfy the relation 

\W)\\<ce- a, \\m\l re [0,oo), (11.20) 

where the real numbers c > and a > depend only on X s and Y s . 

Proof. Noting that the function ( |11.9b is continuous, a Lyapunov function Vie) - 
^e T Xe is constructed. Theorem l9.1l implies that 

V(e)=e T Xe = e T X(k e (x + e)-k e (x)) (11.21) 

< -ae T Xe, a > 0, (11.22) 

which immediately implies the inequality (111.20b . The inequality dl 1.221 ) follows 
from Theorem |9.1| if the extended system satisfies 

X(A eJ - LCf) + (A e ,j - LCffX <0,i=l,...,r, 

which are equivalent to the LMIs ( 111.19b after the linearising change of variables 
X s = X and Y s = XL. m 
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Condition 1 111.191 ) ensures that the extended PWA virtual sensor dll.51 ) estimates 
both the constant disturbance and the system state in spite of the different discrete 
modes of the plant and the virtual sensor. 

Remark 11.1 (Relations to linear unknown-input observers). The feasibility condi- 
tions (111.19b may be interpreted as follows, where the notation (kerC|A) denotes 
the largest A-invariant subspace contained in kerC, and cr(A\S) denotes the set of 
eigenvalues of A restricted to the A-invariant subspace S. It is certainly necessary 
(but not sufficient in general) for the observability of the faulty PWA system ( 19. 7b 
that the pair (Cf, A e j) be detectable for all discrete modes i e { 1 , . . . , r). Detectability 



of the linear systems defined for each mode is equivalent 121111 to the condition 

{A, B d \ 



V* e {l,...,r]. , Q 



ta M(?Y))H 



which means that in every discrete mode, the unobservable modes must be stable. 
Since the disturbance dynamics are marginally stable by assumption, it is neces- 
sary that the disturbance effects completely propagate through the output Cf. This 
condition is equivalent to those found in the literature on unknown-input estimators 
II43L I80TI - Of course, this condition alone is not sufficient for the stability of mixed 
modes in the plant and the virtual sensor and thus in the complete observation er- 
ror dynamics, which is why the more restrictive sufficient conditions ( 1 1 1 . 1 9b were 
obtained. o 

The following Lemma provides a sufficient condition for the ISS of the extended 
difference system. 

Lemma 11.5 (Input-to-state stability of the extended difference system). Con- 
sider the faulty PWA system A9.7\) and suppose that Assumptions 19. 71 \9.5\ and \9.4\ 
hold. If there exist matrices X a e r(«+pM"+p>, X a = X T a > 0, and Y a e R mX( " +p) that 
satisfy the LMIs 

A a , j X a + X a Al J -B f Y a -Y T a B T f < 0, j= l,...,r, (11.23) 

then the extended difference system Ml. 141 of the extended virtual actuator Ml.ll\ 
with the gain M = Y a X~ is 0-GES for zero inputs u c ,e = 0. Moreover, all solutions 
(xj(f) ,Xi(t) ) of the unforced difference system Ml. 14$ (i.e. u c ,e = 0) satisfy the 
relation 

\\x A {f)\\ + \\x,(t)\\ < ce- at (fc(0)|| + llxKO)!!) , (11 .24) 

where the real numbers c > and a > depend only on X a and Y a . In other words, 
the difference state xj asymptotically converges to the origin: lim^ooJC^f) = 
for zero inputs. Furthermore, the extended difference system is ISS w.r.t. the in- 
put (u c ,e). If the steady-state control input u c is constant and lim r _>oo e(t) — 0, then 
Mm^oaCzXAit) = 0. 
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Proof. Noting that the function (111.121 ) is continuous, a Lyapunov function 
V((x^,xJ) T ) = \(x T A xJ)X~ l is constructed, and Theorem 19. II is used to ob- 

tain the following properties of its derivative 

n<.xlxJ?) = (x*xJ)K 1 (u*,xri-kAi-x J ,<>) + { B "'\ LCfe \\ 

Hs) r * 1 feMz)'M fc ' + »" > 

for some a > 0, which is a Lyapunov characterisation of 1SS with respect to the input 
(u c ,e). The latter inequality follows from Theorem 19. II if the extended difference 
system satisfies the inequalities 

X-\A aJ - B f M) + (A aJ - B f M) T X;, 1 <0,j=l,...,r, 

which are equivalent to the LMIs ( 111.23b after multiplication of the LMIs with X a 
from left and right and introduction of the new variable Y a = MX a . It is thus proven 
that the extended difference system ( 111. 14b is ISS w.r.t. the input (u c ,e) if the given 
LMIs is satisfied. 

It remains to be proven that ]im t -,oo C z Xj(i) = as u c becomes constant in 
steady-state. This property is proven by showing that the extended difference sys- 
tem ( 111.14b is exponentially convergent, and thus a constant steady-state input im- 
plies a constant steady-state solution for the extended difference system. Consider a 
candidate Lyapunov function V for quadratic convergence: 

V = ((x A , 2 -x A , l ) T (x l , 2 -x I , l ) T )ph 2 - X r A A 

v ' \Xl,2-Xi t lj 

Along solutions of (111.14b the time derivative of V satisfies 

V = ((X A2 -XA.lf 0/,2 -X,,l) T )P 

hlL* ))-*a(L* ))-hll*-^ 2 )) + kJ(*- XAi 



Xl,2Jj \\xi,i)l U J) \\ 

Using twice the fact that the function k^ satisfies the inequality ( |9.3b , one obtains 
that there exists a > such that 

(11.25) 
Since P — P T > 0, it follows that P has the structure 
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from the partition P — _ „ X I. Hence, Equation ( 111.25b gives 
\"12 "2^/ 

Therefore, the extended difference system i ll 1.14b is expone ntiall y convergent and 
its solutions converge to a unique constant solution, see 111591 Property 2.23]. 
From Lemma fl 1 .41 lim f ^ooe = for d — 0. From Assumption 19.31 it follows that 
lirn^oo u c (t) - u c , so u c is const ant in steady-state and (xa,xj) converges to a con- 
stant steady-state solution due to J159L Property 2.25]. According to ( 111. lib , jc/ con- 
stant implies that C z Xa - 0, and it follows that lim,^^ C z xa{i) = 0, as claimed. The 
boundedness of solutions of the extended difference system in case of non-constant 
inputs is guaranteed by its ISS property. ■ 

With the partial results regarding the extended observation error and the extended 
difference system, the following main result regarding reconfigured closed-loop 
tracking recovery can be stated and proven, which summarises the results of 
Lemma fl 1 .41 and Lemma fl 1.51 The following theorem thus provides the solution 
to Problem|9~2l 



Theorem 11.1 (Stable asymptotic setpoint tracking recovery). Suppose that 
the Assumptions \9J\ [£4] \9J\ and fjO| are satisfied. If the LMIs 477.791 ) 
and \1 1.231 are feasible, then the reconfigured closed-loop system 
(Epf,Es ,£a,Ec) consisting of the controller ( 19.61 ), the faulty PWA system \9.7\ , 
the extended PWA virtual sensor ( 177.51 ), and the extended PWA virtual actua- 
tor ill. Hi is globally ISS w. r. t. the input (r, d). Moreover, the output Zf asymp- 
totically tracks any constant reference r(t) — rp(t), f e R p , for any constant 
disturbance d(t) — dp(t), d € R , to nominal precision K > in the sense that 
limsup,^^ \\r(t) — Zf(t)\\ < K for all initial conditions xq, Xfo, and x c q. 

The same result is achieved for arbitrary disturbances if the disturbance sig- 
nal d is measurable, if the hypotheses of Lemma U 1 . l\ are satisfied, and if the 
augmented PWA virtual sensor ( 177.71 ) and the augmented PWA virtual actua- 
tor ( I77.JD are used to realise the reconfiguration block Er — (E$ ,£a)- 



Proof. See Appendix iDl page !268l 

Both extensions that together provide stability and tracking are based on the 
internal model principle. Namely, models of exo-systems creating the admissi- 
ble disturbance and reference inputs have been embedded in the reconfiguration 
block dTO . ( flTTTV 
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Remark 11.2 (Occasional disturbance and reference jumps). In practice, the ex- 
tended PWA virtual sensor (111.5b still works appropriately for infrequent discon- 
tinuous changes of the disturbance input d, in other words, if the disturbance is 
piecewise constant. Infrequent disturbance jumps may then be interpreted as 
changes of the initial condition of the extended observation error dll.7b . "Infre- 
quent" means that the disturbance should remain constant for several integer multi- 
ples of 1 /a, where a is defined in Equation ( 111.201 ). The same considerations hold for 
the extended PWA virtual actuator ( 111. lib , the reference input r, and the extended 
difference system ( 111.14b . o 

Remark 11.3 (Relation to disturbance decoupling). The recovery of the nominal dy- 
namical closed-loop response for arbitrary reference inputs is equivalent to a distur- 
bance decoupling problem with stability for known disturbance (DDPS') for the 
reconfigured plant. To see the disturbance decoupling problem, consider the input 
u c as the disturbance and the output Cxa (see also Fig. 13.12b . The solution to this 
type of problem as well as to several variants of the problem are well-known for the 
linear case [219]. However, this is not the case for PWA systems. The solution of dy- 
namical disturbance decoupling problems with and without stability for switching 
systems with known or unknown disturbances in terms of necessary and sufficient 
conditions remains a challenging open problem in control theory. In fact, a solution 
to the static DDPS' problem for PWA systems has been provided in this chapter in 
terms of sufficient conditions. The general and complete solution of the dynamical 
DDPS' problem for PWA systems remains an open problem. o 

The design procedure for the reconfiguration block to achieve tracking is sum- 
marised in Algorithm lll.il The steps 1-4 describe the nominal closed-loop oper- 
ation before any faults occur. Once faults are detected and isolated in step 5, the 
design of the extended PWA virtual sensor and the extended PWA virtual actuator 
activates in steps 6-11, where the gains L, Lj, M, and Mj are determined (the gain 
P is an additional degree of freedom that may be used to feedthrough healthy sen- 
sor measurements). After completed gain calculations, the reconfigured closed-loop 
system is executed in step 12, starting at reconfiguration time t — 0. Step 10 reduces 
the bump that occurs due to inaccurate guesses of the initial condition of the faulty 
plant. 

It is straightforward to derive variations of the algorithm for the special case 
where the disturbances are measurable. If the relevant LMI are infeasible, then 
a stability-recovering and tracking-recovering virtual sensor and virtual actuator 
scheme might exist, but cannot be found using the sufficient conditions presented 
in this chapter. This problem appears to be fundamentally unavoidable, since the 
problem of deciding whether all trajectories of a given PWA system are bounded is 



undecidable B24I1 . In practice, it is possible to remove rows from the output matrix 
C z according to a priority list until feasible solutions are found. Regarding the con- 
servatism of common quadratic Lyapunov functions, the same considerations as in 
Chapter flOJl hold. 
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Algorithm 11.1. Tracking recovering extended PWA virtual sensor and extended 
PWA virtual actuator synthesis 

Require: PWA model A,-, a,, B, Bd, C, i e {l,...,r}, initial time to < 0, guessed 
initial condition jc/o 
1: Initialise the nominal closed-loop system ( 19.11 ), ( 19.6b . d 1 1 -5b . d 1 1.11b with Cf = 
C, Bf = B, a/j = «,, L = 0,L d = 0,P = I,M = 0,Mi = 0, x(t ) = xo, x c (to) = * c o, 
Xf(to) - XfO, d{to) = 0, x(to) = Xfo, Xi(to) = 0. Set the virtual actuator inactive 
by setting Uf(t) - u c {t). 
2: Solve LMIs ( |11.19b with Cf = C and compute a stabilising extended PWA vir- 
tual sensor gain L = Xj Y s , update extended PWA virtual sensor ( 111.5b 
3: repeat 

4: Run nominal closed-loop system 
5: until actuator or sensor fault / detected and isolated 

6: Construct fault model a/j, Bf, Cf and update the extended PWA virtual sen- 
sor (111.5b and the extended PWA virtual actuator ( 111. lib 
Solve LMIs (fTQ9l ) and ( fTX23b for X s , f s , X a , Y a 
Compute L = X; 1 Y s and M = Y a X~ l 
9: Update the extended PWA virtual sensor (111.5b with L = (L T L T d ) T 
10: Wait for PWA virtual sensor to converge for specified time interval 
11: Update and activate the extended PWA virtual actuator dl 1.1 11 ) with M - 

(M Mj) and initialise Jc(0) = Jc/(0) 
12: Run reconfigured closed-loop system ( 19.6b . ( 19.7b . ( 111.5b . ( 111.11b 
Result: Globally ISS reconfigured closed-loop system that tracks constant refer- 
ence inputs in the presence of constant disturbances. 



Example 11.1 (Tracking recovering extended PWA virtual sensor and actua- 
tor synthesis for the two-tank system). In this example, an extended PWA virtual 
sensor and an extended PWA virtual actuator are designed for the two-tank system 
in order to reconfigure the closed-loop system after the occurrence of the sensor 
fault f s and the valves failure f,\ and degradation f a 2. 

The response of the tanks model subject to these faults is shown in Fig. \11.2\ The 
sensor for the level h\ fails at tf s — 40 s, whereas the lower valve fails at tf a \ — 20 s 
and the upper valve degrades at tf a 2 — 35 s. Due to the reconfiguration, it can be 
seen that the system follows the reference trajectory very closely. The extended PWA 
virtual sensor correctly estimates the state in spite of the unmeasured outflow dfrom 
tank Ti that sets in shortly after the failure of the level sensor for that tank. The 
extended PWA virtual actuator compensates the blocked lower valve by moving the 
upper valve to a compensating offset position. This example also shows that the 
tracking result ofTheorem \ll.l\ is also practically useful if the reference input is not 
constant but piecewise constant. 
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Fig. 11.2 Response of reconfigured closed-loop tanks system based on extended PWA virtual 
sensor and extended PWA virtual actuator with periodic reference input. 



11.5 Robustness against Piecewise Afflne Model Uncertainties 
and Disturbance Variation 



In the previous sections, it has been tacitly assumed that the faulty plant, the 
extended PWA virtual sensor, and the extended PWA virtual actuator are PWA 
systems, and moreover, that the disturbance is constant. This section relaxes 
those assumptions and studies the robustness of the reconfiguration scheme 
against approximation errors of the PWA model used in the reconfiguration block 
Zr - (Zs,Sa). Both issues are relevant in practice because the PWA model used 
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in the reconfiguration block never perfectly describes the true plant dynamics in 
practice, and because disturbances are rarely constant. 

For the following analysis, it is assumed that the faulty nonlinear system is an 
input-affine system of the form 

Zpf,NL ■ [x f (t) = f(xf(t)) + B f uf(t) + B d d(t), (1 1 .26) 

with / continuous, whereas the PWA virtual sensor dlO.ll ) is based on the PWA 
model 



Epf. \Xf(t) - AiXf(t) + a.fj + BfUf(i) + Bdd(i) forXf{t) e A/, ie{l,...,r}. 

The difference between the input-affine model and the PWA model, 

e(xf) -f(xf)- AjXf-afjforxf e A,-, ie{l,...,r}, (11.27) 

represents the nonlinear approximation error. The disturbance is now assumed to be 
time-varying and generated by the exogenous system 

{d(t) =g(i),d(0) = d , (11-28) 

where the disturbance variation rate g modifies the disturbance if nonzero (g + 0), 
and keeps the disturbance constant if zero (g = 0). Using the model approximation 
error ( 111.27b . the input-affine system ( 111.261 1 is re-written as a perturbed PWA model 

\x f {f) = AjXf(t) + a fJ + B f Uf{t) + B d d(t) + e(x f (t)) for x f (t) e A,-, 
{ ie[l,...,r}. 

It is assumed here that the model approximation error is uniformly bounded, which 
is always achievable on a compact subset X c 1R" of the state space by sufficiently 
refining the state-space partition that underlies the PWA model. It is likewise as- 
sumed that the variation rate g of the disturbance is globally bounded: 

3E such that Vjc/ e X c R" : ||e(x/)|| < E ( 1 1 .29) 

3F such that Vf e R : \\g(t)\\ < F. (11.30) 

In order to obtain robustness for the reconfigured closed-loop system, Assump- 
tion 19.31 is replaced by the following assumption about robustness of the nominal 
control scheme. 

Assumption 11.1 (Robust stabilising and tracking nominal control). The 

feedback interconnection {Zp,Ec) of the nominal PWA system ( I9.il ) with bounded 
measurement noise n y (y(t) = Cx(t) + n y (t)) and the nominal controller ( 19.61 ) is ISS 
w.r.t. the input (r,d,n y ) and IOS w.r.t. the input (r,d,n y ) and the output (x,u c ). 
Furthermore, constant reference commands r(t) — fp(t), f e R p , are asymptotically 
tracked to precision K' > in the presence of time-varying disturbances d(t) and 
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measurement noise n y (t) (y{t) — Cx(t) + n y (t) with the property lim^oo n y (t) j= 0) 
with constant steady-state control input u c 6 R m in the sense that for all xq, x c q 

i am ,r f rrr-m m - mx _* / Kmsup t _ + JKO-z(OI|£Z' 
\d{t) according to (177.281 ) , lit) = rp(t)} => < 

y lim,_,oo u c (t) = u c . 

Note that due to the time-varying disturbance and the persistent measurement noise, 
the tracking precision K' is typically larger than the nominal tracking precision of 
Assumption 19. 3 1 The magnitude of K' will typically depend on the variation bound 
E on 1 \g\ | as well as on a bound on measurement noise n y . 

The inclusion of the model approximation error into the extended observation 
error dl 1 -7b leads to the new dynamics for the extended observation error 

Z e ■ [e(t) = k e (x{t) + e{t))-k e (x{t))-e{x f (t))-Q(t) (H.31) 



where 



^<o>fr).*H«) 



and the extended observation error e, the extended state x, and the function k e (-) 
have been defined in Equations (111.7b and ( 111.91 The following result is obtained. 



Theorem 11.2 (Robust extended PWA virtual sensor and extended PWA 
virtual actuator). Consider the faulty nonlinear system M1.26\ reconfigured 
by means of the extended PWA virtual sensor ( 177.51 ) and the extended PWA 
virtual actuator ( 177.771 ). and suppose that Assumptions 19. 7 1 19.41 and \ll.l\ are 
satisfied. The reconfigured closed-loop system (£pf,NL,£s ^A,^c) I s globally 
ISpS w.r.t. the input (r,g), where g is the disturbance variation rate. Moreover, 
if the reference input and the steady-state control input are constant, and if the 
nominal closed-loop system tracks the reference to precision K' , then the re- 
configured closed-loop system tracks the reference input to degraded precision 
K' +c- E + d- F, where c,d>0. 



Proof. See Appendix iDl page !269l 

The relevance of this result consists in the statement that the reconfigured closed- 
loop stability and tracking recovery properties are not lost if assumptions regarding 
model accuracy and constant disturbance inputs are violated. Rather, the ISpS prop- 
erty is always guaranteed, and the tracking accuracy degrades gradually as the model 
error and the disturbance variation increase. Due to the observability of the obser- 
vation error from the output y c , the controller may reject the disturbance induced by 
the modelling error, as the following example shows. 
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Example 11.2 (Tracking recovering extended PWA virtual sensor and actuator 
synthesis for the two-tank system). In this example, the extended PWA virtual sen- 
sor and an extended PWA virtual actuator are coupled with the nonlinear process 
model instead of a PWA process model. Therefore, the model used in the virtual sen- 
sor and virtual actuator do not exactly represent the process, requiring robustness 
against model uncertainties. 

The response of the tanks model subject to the following faults is shown in 
Fig. I77.il The lower valve fails at tf a \ — 20 s and the upper valve degrades at 
tfa.2 — 35 s. In spite of the inaccurate PWA model for the nonlinear process, the 
system follows the reference trajectory very closely, although the transient behavior 
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Fig. 11.3 Response of nonlinear tanks system reconfigured using PWA model based on ex- 
tended PWA virtual sensor and extended PWA virtual actuator. 
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differs somewhat from the response shown in Fig. \11.2\ This example also shows 
that the tracking result ofTheorem \ll.l\ is robust with respect to the model approx- 
imation error. The approximation error, however, affects the disturbance estimate, 
which oscillates considerably between extreme values of the order of magnitude of 
±1000 ml/s. The mean of the disturbance estimate at — 16 ml/s is, however, still close 
to the true disturbance of —20 ml/s. The disturbance estimate provided by the ex- 
tended PWA virtual sensor is, therefore, informative about the true disturbance in 
spite of the model uncertainties in this example. 



11.6 Robustness against Uncertainties of the Fault Diagnosis 
Result 

In this section, the additional impact of uncertainties in the fault diagnosis result 
on the reconfiguration success is investigated, in view of the initial assumption that 
the fault diagnosis task has been solved. Since the model of the faulty plant is the 
outcome of an autonomous fault detection, isolation, and identification algorithm, 
this model is prone to be uncertain. In the following robustness analysis it is as- 
sumed that the model parameters Bf, a/j, and C/ affected by faults are subject to 
unknown but finite additive uncertainties ABf, Acif and AC/, while the model ap- 
proximation error and disturbance variation introduced in the previous Section [Tl.5l 
are maintained: 

Xf(t) = AiXf(t) + o/,i +Aaf + (Bf +ABf)uf(t) + B d d(t) + e(Xf(t)) 
Zpf,NL : \ for x/(t) € At, i e { 1, . . . , r] 

y f (t) =(C f +AC f )x f (t). 

(11.32) 

It is still assumed that the fault isolation task is correctly solved, so that there are no 
missed detections and no false positive detections. 

With this uncertain plant model, the dynamics of the observation error and the 
difference system become 



Z e 



e(t) = k e (x(t) + e(t)) ~ k e (x(t)) - e(x f (t)) - g(t) + h (t) - i 2 (t) - Aa f 

_ -(xA(tj) (11.33) 

h(t) =LAC f (x(t)-x A (t)-e(t)),i 2 {t)=AB f M\ A )[ 



where e is defined in Equation ( 111.7b , k e is defined in Equation ( 111.9b . L is defined 
in Equation dl 1 . 10b . M is defined in Equation ( 111.13b . and where 
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and 



Za- 



x A {t) 
xi(t) 



-MPHr^M"**;"™) 



h(t) 
o 



(11.34) 



where k A is defined in Equation ( 111.12b and 14(f) = LAC f(x(t) - xj(t) - e(t)). Fur- 
thermore, the controller input changes to 



y c (t) = Cx(t)-PC f e(t) + h(t) 

h(t) = PAC f (x(t) - x A (t) - e(t)) 



(11.35) 



These models show that the additive model uncertainties introduce additional feed- 
back loops. Consequently, stability recovery requires small-gain conditions to be 
satisfied. 



Theorem 11.3 (Robustness against uncertain fault diagnosis). The reconfig- 
ured closed-loop system ( 19.61 ), ( 177.51 ), ( 177.771 ), ( 177.521 ) with the model approx- 
imation error e and the disturbance variation ra Q is robustly ISpS w.r.t. the 
input (r,g) in spite of additive diagnosis uncertainties ABf, Aa/, and AC f, if 
the following small-gain condition is satisfied: 



(LACf 

AB f M AB f Mi 
PACf 

LACf 



(11.36) 



where g is the ISS gain of the feedback-interconnection {Xc,Ep,X e ,I,/{) from 



;T ;T\T 



T\T 



the input (1 '] , i' 2 , ii , i' 4 )' to the output (x —x A -e,Xj,x A ) 



Proof. See Appendix ITJ1 page !270l 

The small-gain conditions can be satisfied in applications in the following ways: 

• Suppose that the models of non-faulty actuators and sensors are certain so that 
corresponding rows and columns in ABf and ACf are zero, and furthermore 
suppose that the LMIs (111.19b and (lll.23t are feasible also if setting to zero 
those columns of Bf that correspond to faulty actuators, as well as setting 
to zero those rows of C/ that correspond to faulty sensors. In other words, 
faulty components are disregarded from the control loop, and consequently, 
corresponding rows of M and columns of L and P may be set to zero with- 
out changing the convergence properties. Then, the products ABfM, ABfMj, 
LACf, LACf, and PACf are automatically zero, and the small-gain conditions 
are satisfied. 
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• The small-gain conditions indicate that small virtual sensor gains L and P and 
small virtual actuator gains M improve robustness. Therefore, limited gains 
should be included as optimisation goals or additional constraints in numerical 
algorithms for finding solutions to the LMIs ( 111.191 1 and ( 111.23b . 

This analysis has shown that the fault-hiding principle is robust against typical fault 
diagnosis uncertainties that are to be expected in practice. The problem of jointly 
designing a fault diagnosis system and a reconfiguration strategy is a completely 
different topic that is beyond the scope of this monograph. 



11.7 Duality between Extended Piece wise Afflne Virtual Sensor 
and Virtual Actuator 

The duality between the design of PWA virtual sensors and PWA virtual actuators 
found in the previous chapter is preserved under the extensions made in this chapter. 
The extended PWA virtual sensor Z$ an d the extended PWA virtual actuator Za are 
thus dual systems in the following sense. 



Theorem 11.4 (Duality between the extended PWA virtual sensor and the 
extended PWA virtual actuator). Any solution L to the extended PWA virtual 
sensor design problem for the pair (Cf, A,) also paramete rises a corresponding 
solution M to the PWA virtual actuator design problem for the pair (Ai,Bf) ■ 
-) 



{A? ,C T f ). The solutions L and M are linked by means of the relation L — M T . 



Proof. See Appendix iDl page !27ll 

The result implies that an approach for obtaining suitable gains for one system can 
be used to obtain suitable gains of the other system. 



11.8 Summary and Discussion 

This chapter has provided a solution to both the stability recovery problem and the 
setpoint tracking recovery problem for constant setpoint and constant disturbance 
signals after actuator and sensor faults in PWA systems, where the faults are mod- 
elled as changed input matrices, changed output matrices, and a changed affine term. 
The solution consists of an extended PWA virtual sensor and an extended PWA vir- 
tual actuator that also compensate blocked actuators if possible. 

The main extension with respect to the PWA virtual sensor the PWA virtual actu- 
ator introduced in the previous chapter consists in the inclusion of internal models 
for the setpoint and disturbance signals in the reconfiguration block, which are as- 
sumed to be generated by exogenous systems with constant dynamics. The extended 
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PWA virtual sensor can be interpreted as an unknown-input observer for the class of 
PWA systems with constant disturbance. Although the theory is strictly valid only 
for constant input disturbance signals, it is practical also for slowly varying distur- 
bances. The weak fault-hiding property is a consequence of the structures of the 
extended PWA virtual sensor and the extended PWA virtual actuator (Lemma ril.21 ). 
Further properties depend on the choice of their free parameters. 

The main result is a set of sufficient conditions for reconfigured closed-loop ISS 
and tracking in LMI form (Theorem lll.U . The conditions are also used to formu- 
late a procedure for determining the gains of the extended PWA virtual sensor and 
the extended PWA virtual actuator such that the nominal stability and tracking are 
recovered by the reconfigured closed-loop system (Algorithm lll.U . With respect to 
the requirements stated in Chapter [L3l the method is suitable for autonomous on- 
line application. Given the current computational power, it is numerically applicable 
to small- and medium-size problems. The reconfiguration method is robust against 
inaccuracy in the model of the faulty plant, as well as robust against violations of 
the assumption that the disturbance signal is constant (Theorem l 11.21 1. Furthermore, 
robustness against uncertain fault diagnosis results was shown (Theorem l 11.31 ). 

An open question for future research concerns the optimal choice of solutions to 
the LMIs ( 111.19b and (111.23t . which each have infinite numbers of solutions. This 
freedom might be used to address performance requirements expressed in terms of 
the dynamics of the observation error system and difference system. A further open 
problem concerns accounting for input constraints. 

A desirable relaxation concerns the continuity assumptions (Assumption |9.1| and 
Assumption ^. 41 ). Covering the class of discontinuous PWA systems would increase 
the scope of possible applications for the reconfiguration approach. However, the 
convergence property has been used in this chapter to guarantee tracking, and the 
existence of common quadratic Lyapunov functions is known to be insufficie nt fo r 



the convergence of discontinuous PWA systems with more than two modes B157I1 . 
The extension to discontinuous systems for stronger goals than stability is therefore 
a challenging open problem. 

This chapter concludes Part III on the reconfigurable control of PWA systems, 
whose consideration is motivated by their ability to approximate nonlinear dynam- 
ical systems to far better accuracy than linear systems. The stability and tracking 
recovery problems have been solved, and certain robustness and duality properties 
hold. 

The end of Part III also closes the parts of theoretical contributions to reconfig- 
urable control theory presented in this monograph. As regards the expressiveness 
of the different modelling frameworks used in this monograph, Tables 14.11 to 19.11 
have shown in retrospect that no single class of system models captures every rele- 
vant technological fault aspect. This fact was highlighted through the ship example. 
This observation emphasises the need for having developed reconfigurable control 
approaches for each system class separately. The following final Part IV discusses 
practical applications of the theoretical results developed in Chapters \5\ to Q~T] in ex- 
perimental environments. 



Part IV 
Applications 



In this part, applications of the nonlinear fault-hiding approaches to reconfigurable 
control that were developed in the previous parts are described. First, it is explained 
how the fault-hiding approach with its reconfiguration blocks should be included 
into an embedded real-time control framework, and a rapid-prototyping implemen- 
tation is described. Next, the application of the fault-hiding approach to a bench- 
mark thermofluid process is described. The process has been implemented on the 
pilot plant VERA at the Institute of Automation and Computer Control in Bochum. 
Applications of the aforementioned methods are summarised for several fault cases. 



Chapter 12 

Application Framework 



Abstract. This chapter explains how the fault-hiding approach to reconfigurable 
control is implemented in a real-time control framework. The required informa- 
tion flow between plant, controller, and reconfiguration block is described, and it 
is shown how reconfiguration blocks can be embedded into modern control hard- 
ware. A MATLAB toolbox providing prototype implementations of reconfiguration 
blocks is described. Finally, possible applications for virtual actuators and virtual 
sensors outside the field of fault-tolerant control are sketched. 



12.1 Information Structure of a Real-Time Control Framework 

This section describes the required information flow between sensors, the controller, 
actuators, and the reconfiguration block in order to enable reconfigurable control 
according to the methods presented in this monograph. For the matter of this section, 
the implementation details regarding control hardware, communication protocols, 
and communication architectures are irrelevant. 

Figure fTXTI shows the required structure of a reconfigurable closed-loop system. 
The plant is equipped with actuators and sensors. The combination of physical plant, 
actuators, and sensors was called "plant" Ep (nominal) or Spf (faulty) in Parts I— 
III of this monograph (grey box in Fig. 112. U . It is important that the models also 
represent those actuators and sensors that are not used by the nominal controller. In 
other words, the plant models must be complete with respect to the installed redun- 
dancies, which can otherwise not be discovered by the reconfiguration algorithms. 
In Fig. 112. ll the block labelled "physical plant" refers to the physical system. The 
controller is arbitrary, in particular, it may be centralised or decentralised, linear or 
nonlinear, as long as the nominal closed-loop system satisfies the assumptions of 
the previous chapters. 

The key aspect of the implementation is the immediate inclusion of the recon- 
figuration block, which is a permanent part of the closed-loop system, whether or 
not faults have occurred. Its permanence is enabled by the inactivity conditions that 
every reconfiguration block must satisfy according to Definition [53] The inactivity 
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Fig. 12.1 Information flow in a real-time control framework with reconfiguration block. 



conditions ensure that, before the occurrence of faults, the closed-loop system with 
reconfiguration block behaves exactly like the nominal closed-loop system with- 
out the reconfiguration block. The inactivity is symbolised in Fig. 112.11 by means 
of switches. Before the occurrence of a fault, the switches are in the shown po- 
sitions, and the reconfiguration block has no influence on the closed-loop system. 
Note that the signals entering the reconfiguration block directly without passing 
through switches are important so that an observer inside the reconfiguration block 
can track the state of the plant also while the reconfiguration block is inactive. The 
inactivity conditions imply that the switches shown in Fig. 112. li do not need to be 
implemented. 

Once a fault has been detected and isolated, the parameters of the reconfiguration 
block are updated, and the reconfiguration block is activated by moving the switches 
in the directions indicated in Fig. 112. ll The synthesis of its parameters is based on 
models Ep and 27p/ of the physical plant including its actuators and sensors. In the 
context of this monograph, the model can be a linear model, a Hammerstein-Wiener 
model, or a piecewise affine model. The model types were introduced and discussed 
in Chapters |U |5J and [9] Synthesis methods for linear reconfiguration blocks have 
been summarised in Chapter[4] The possible synthesis methods for the parameters of 
Hammerstein-Wiener reconfiguration blocks have been provided in Chapters|6]to[8] 
Synthesis methods for the parameters of piecewise affine reconfiguration blocks 
have been provided in ChaptersflOlandfTTl 

Figure Q2H] furthermore shows that reference commands are typically generated 
by a high-level control component with supervisory tasks. The high-level compo- 
nent may be human or automatic. However, the presence of the higher level gives the 
fault hiding approach a further dimension. In the previous parts of this monograph, 
the term "fault-hiding" refers to the comparison of the nominal and reconfigured 
plant behaviour as seen from the controller. The fault-hiding idea can also be ap- 
plied to the interface between the supervisory level and the control level. Namely, 
a successful reconfiguration at the control level that well recovers the closed-loop 
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behaviour from reference r to output z will hide the presence of faults and ease the 
task of the supervisory level in responding of the fault. Fault-hiding at the supervi- 
sory level is exactly achieved if and only if performance recovery is exactly achieved 
at the control level. 



12.2 Physical Realisation within Modern Control Architectures 

The reconfiguration block must be implemented with real-time constraints similar 
or equal to the real-time properties of the nominal controller on embedded real-time 
control hardware. Embedded real-time control hardware refers to programmable 
logic controllers (PLC), electronic control units (ECU), and similar devices. The 
implementability is mainly affected by the availability of three elements: 

• implementations of computational operations, 

• computational power, 

• storage capacity. 

These elements are now discussed based on typical computation and storage capac- 
ities of contemporary embedded real-time control hardwarqj. Since such hardware 
is subject to quick development towards more storage capacity and more computa- 
tional power, the following statements are only of contemporary validity. 

The implementation of the Hammerstein- Wiener virtual actuator and virtual sen- 
sor requires the ability to perform numerical integration, addition, multiplication, 
and the evaluation of nonlinear input and output functions, which might be imple- 
mented by means of table-lookup and interpolation. The implementation of the PWA 
virtual actuator and sensor requires the same abilities, where the nonlinear functions 
are PWA. The described computational operations are available in contemporary 
embedded real-time control hardware. The implementation of linear, Hammerstein- 
Wiener, and PWA reconfiguration blocks is therefore practically feasible from a 
functional perspective. 

Regarding the computational power, the implementability depends on the speed 
of the processor, on the dynamical model order, and on the required sampling time. 
The latter depends on the plant dynamics. A general statement is impossible, but as 
a general rule, the methods are implementable for moderately fast plant dynamics 
on standard computing hardware. Since all methods presented in this monograph 
are formulated in continuous time, a sufficiently high oversampling rate (such as 
20x the fastest plant mode) is necessary so that the control la ws ca n be imple- 



mented in discrete time without respecting discrete-time theory 111711 . While the 
time-discretisation of linear reconfiguration blocks is straightforward in principle, 
the translation of a given continuous-time nonlinear dynamical system into an equiv- 
alent discrete-time system is not straightforward due to the lack of a universally suit- 
able and accepted method. Nevertheless, some approaches to the approximation of 



1 Electronic control units have 32Bit CPUs with up to 2MB flash memory and up to 80 MHz 
core clock frequency at the time of writing [62J]. 
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continuous-time control by means of discrete-time control for nonlinear systems ex- 
ist, see 117 lh . For this reason, the quasi-continuous implementation of the nonlinear 
reconfiguration block by means of oversampling is recommended. 

The memory requirements for storing Hammerstein-Wiener models are slightly 
larger than for linear models due to the presence of nonlinear functions. The bur- 
den related to evaluating these functions can be partly moved from the processor to 
memory by replacing online function evaluation with table lookup. The memory re- 
quirements for storing PWA models depend heavily on the desired model accuracy. 
If high numbers of polytopes are required to achieve satisfactory model accuracy, 
then the memory burden may become prohibitive. 

In summary, the online implementation of reconfiguration blocks with fixed para- 
meters is practically feasible on contemporary embedded real-time control hardware 
for medium-size systems with moderately fast dynamics. 

However, the synthesis of the reconfiguration block parameter imposes a consid- 
erable computational burden that is too high for contemporary embedded real-time 
controller, since it requires the solution of large systems of LMI. Furthermore, their 
solution requires complex numerical methods that are generally unavailable on such 
hardware. It is, however, not necessary to collocate the synthesis of reconfiguration 
block parameters with its real-time execution on the same hardware. It is generally 
recommended to separate the supervision tasks such as fault diagnosis and recon- 
figuration block synthesis from real-time control execution, as shown in Fig. ll2.2l 
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Fig. 12.2 Hardware architecture of a real-time control framework with reconfiguration block. 



Figure 112.21 shows a physical plant with actuators and sensors, embedded real- 
time control hardware, and a supervisory control component, which are linked over a 
digital fieldbus. The nominal controller and reconfiguration block are implemented 
and executed on the embedded real-time control hardware. This architecture re- 
quires deciding on the class of the used reconfiguration block before process startup. 
The inactivity conditions ensure that the closed-loop behaviour is not affected by 
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the reconfiguration block prior to the occurrence of faults. The supervisory con- 
trol component (implemented on a workstation or server, for example) monitors the 
measured and manipulated signals and performs fault diagnosis tasks (FDI). If a 
fault is detected and isolated, the supervisory control component computes suitable 
parameters for the reconfiguration block and communicates these parameters to the 
embedded control hardware as indicated by the broad arrow, which updates the re- 
configuration block parameters, and thereby activates the reconfiguration block. By 
following through these steps, control reconfiguration is achieved. 

Furthermore, it is not necessary to collocate the nominal controller and the recon- 
figuration block on the same embedded real-time control hardware. Two (or more, 
in the case of decentralised nominal control) embedded controllers may be used, 
as long as the information flow indicated in Fig. 112.11 is achieved. Digital field- 
bus n etworks (such as Profibus, Profinet, FoundationFieldbus, CAN, and FlexRay) 
1 16611 are nowadays used for numerous reasons, but they are also advantageous for 
adding reconfigurable control by means of reconfiguration blocks to existing con- 
trollers without any physical rewiring. In digital fieldbus networks, changing the 
signal flow does not require physical rewiring. In particular, it is possible to achieve 
fault-tolerance by adding new real-time hardware that implements the reconfigu- 
ration block without changing the existing control laws. This aspect is important 
when adding fault-tolerance to existing plants and control schemes with proven 
functionality. 

When seeking to improve plant dependability by means of reconfiguration 
blocks, it should be kept in mind that every additional system component increases 
the overall system complexity and might become a single point of failure. Redun- 
dant computational hardware and redundant communication channels may be nec- 
essary to achieve overall system dependability. 



12.3 Rapid Prototyping Toolbox for MATLAB and Simulink 

The virtual actuators and virtual sensors described in this monograph have been 
implemented as Simulink blocks in a MATLAB toolbox for reconfigurable control 
called CdRe whose Simulink library is shown in Fig. 112.31 The virtual sensor is 
available for linear systems (Definition !4.4b , for systems with saturations in the input 
and output paths (a special case of Definition ^, ll where <p - sat and h - sat), and for 
piecewise affine systems (Definition ! 10. H and Definition ! 11.31 ). The virtual actuator 
is available for linear systems (Definition 14.51) . for systems with input saturations 
(Definition !? . 1 I where <p - sat), and for piecewise affine systems (Definition ! 10. 2l and 
Definition 1 11.4b . Every block has a mask where the model parameters are entered, 
and where the desired design method is chosen. The available toolbox functionality 
is briefly described below, details are found in the toolbox documentation [168.]. 
The linear virtual actuator block offers the following design methods: 

• Pseudoinverse method (see I33tl ) 

• Stability recovery (Theorem !4.9b 

• Setpoint tracking recovery, zero placement (Theorem l4.10l ) 
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Fig. 12.3 CoKe: a MATLAB toolbox for rapid prototyping of reconfiguration blocks. 



• Setpoint tracking recovery, integrators (see 120211 ) 

• Exact performance recovery, Markov parameters (see ll7lUl75ll ) 

• Exact performance recovery (Theorem l4.11b 

• Approximate performance recovery (see 1 180]) 

• Optimal performance recovery (Theorem l4.14b 

• Approximate performance recovery, minimum output correction (see 117511 ) 

• Automatic choice of the strongest solvable reconfiguration problem. 

It has be en sh own that the pseudoinverse method is not reliable. It cannot guarantee 
stability 120211 and may even fail to cl ose t he loop after an actuator failure although 
trivial reconfiguration solutions exist 1175II . 

The linear virtual sensor block provides the following design methods: 



• Pseudoinverse method (see 113311 ) 

• Stability recovery (Theorem l4.2b 

• Setpoint tracking recovery, zero placement (Theo rem 14. 3 1 ) 

• Setpoint tracking recovery, integrators (see 120211 ) 

• Exact performance recovery, Markov parameters (see I17ull75ll ) 

• Exact performance recovery (Theorem l4.4b 

• Approximate performance recovery (see (180]) 

• Optimal performance recovery (Theorem l4.7b 

• Automatic choice of the strongest solvable reconfiguration problem. 

The saturated virtual actuator block offers the following design methods: 

• Stabi lity and setpoint tracking recovery, Kalman-Yakubovich equations (see 
fl72h - TheoremO) 

• Stability and setpoint tracking recovery, LMI (Corollarv l6.ll Theorem l7.lt 

• Stability and optimal performance recovery (Theorem l8.3l ). 
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The saturated virtual sensor block provides the following design methods: 
• Stabi lity and setpoint tracking recovery, Kalman-Yakubovich equations (see 



1 17211 - dual to Theoremim 

Stability recovery, LMI (Corollary 16. 21 ) 

Stability and optimal performance recovery (dual to Theorem l8.3 



The saturated virtual actuator and saturated virtual sensor are special cases of their 
general Hammerstein-Wiener counterparts. For given specific nonlinear functions, 
the provided blocks can be easily modified by editing the underlying implementa- 
tion code. 

The PWA virtual actuator block implements the following design methods: 

• Stability recovery (Theorem llO.il ) 

• Stability and setpoint tracking recovery, mode-dependent feedforward gains 

• Stability and setpoint tracking recovery, common feedforward gains 

• Stability and setpoint tracking recovery (Theorem lll.il ). 

The PWA virtual sensor block offers the following design methods: 

• Stability recovery (Theorem llO.il ) 

• Stability and setpoint tracking recovery, mode-dependent feedforward gains 

• Stability and setpoint tracking recovery, common feedforward gains 

• Stability and setpoint tracking recovery (Theorem lll.il ). 

Furthermore, the toolbox contains blocks for computing feasible setpoints from in- 
feasible setpoints (Algorithm 17. lb as well as fault generators and signal breakers 
that simplify the intentional introduction of faults into simulations and experiments. 
The representable faults include degradation by means of gain reduction, offsets, 
and complete failure with or without offsets, according to Equations ( 14.12b . (14.13b 
as well as Equation l |9.8b . The fault generators and signal breakers are applicable to 
actuator and sensor signals alike. 

Figure [T2~4l shows a typical block diagram for fault-tolerant control with the fault- 
hiding approach. The reconfiguration block consists of a PWA virtual actuator and a 
PWA virtual sensor in this example, which have to be connected as shown. The fault 
is provoked by means of actuator fault generators and sensor fault generators, which 
trigger signal breakers. In reality, the faults are, of course, not artificially generated, 
but occur autonomously and spontaneously. The information about the actuator and 
sensor faults is provided by a fault diagnosis block as indicated in Fig. 1 12.41 



12.4 Further Applications 

The previous sections of this chapter have explained how to use reconfiguration 
blocks in an online control reconfiguration framework. However, the fault-hiding 
concept that lead to virtual actuators and virtual sensors is also applicable in other 
fault-tolerant control frameworks as well as in application domains completely out- 
side fault-tolerant control. 
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Fig. 12.4 Typical block diagram for fault-tolerant control with the fault-hiding approach. 



First, reconfiguration blocks can also be used in fault-tolerant control schemes 
where reconfigured controllers are designed offline and where the online part of 
reconfiguration reduces to the selection of the appropriate reconfigured controller 
from a database, as shown in Fig. 112.51 These so-called projection approaches are 
used if exhaustive testing of all controllers by means of extensive simulations is 
necessary. Exhaustive controller tests are customary in aviation and nuclear power 
industries, for example. The fault-hiding framework provides clear problem formu- 
lations, reconfigurability analysis techniques with necessary and sufficient condi- 
tions for the linear case as well as sufficient conditions for the nonlinear cases, and a 
structure of the reconfigured controller that has an intuitive interpretation as the dif- 
ference between nominal and reconfigured behaviours. Therefore, it may be useful 
to apply the fault-hiding approach in offline synthesis problems as well as in online 
synthesis problems. 

Second, the concept of virtual actuators is also useful in control problems that 
are completely outside of the domain of fault-tolerant control. Controller synthesis 
is relatively easy to achieve with full access to the state derivatives through suit- 
able actuators. On the other hand, many physical plants are classified as so-called 
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Fig. 12.6 Control of underactuated systems by means of virtual actuators. 



underactuated systems, which simply means that the control vector does not span 
the entire state space. The ship used as a running example in this monograph is 
an example of an underactuated system. The thruster and rudder actuators permit 
the direct control of surge and yaw velocity, but the sway velocity is not directly 
actuated (unless bow and stern thrusters are installed, which are usually used only 
in harbour maneuvers). Virtual actuators can simplify the controller synthesis as 
follows. First, a controller is designed for the fictitious fully actuated system with 
hypothetical further actuators (such as bow thrusters in the ship example). To im- 
plement this control law on the underactuated system, a virtual actuator is used, 
which is based on two models. The first model corresponds to the nominal system 
(in the terminology of fault-tolerant control) or to the fully actuated system (in the 
terminology of underactuated systems). The second model corresponds to the faulty 
system (in the terminology of fault-tolerant control) or to the underactuated system 
(in the terminology of underactuated systems). The virtual actuator translates be- 
tween these two different systems. From this point of view, actuator faults change a 
given system from richer actuation to sparser actuation. 
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The problem of controlling distributed parameter systems described by partial 
differential equations (PDEs) is closely related to the control of underactuated sys- 
tems. Usually, the physical plant is actuated in a finite number of points, which is 
called point-wise control or bou ndar y control in the literature on distributed para- 



meter control (see, for example, II 1 0711 1. A spatial discretisation of the PDE typically 
leads to a large system of first-order differential equations representable in state- 
space form. Classical controller synthesis techniques are in principle applicable to 
the state-space system. With point-wise control, typically an underactuated system 
results, and the virtual actuator can be used to implement the controller desi gned for 
the fully actuated system. This approach has been successfully applied 1361116711 to 
a pipeline system described by the semi-linear transport equation B73I1 . 



Chapter 13 

Fault-Tolerant Control of a Thermofluid Process 



Abstract. This chapter shows simulated and experimental applications of the recon- 
figurable control methods presented in this monograph to a thermofluid process that 
has been realised on the test bed plant VERA. Closed-loop trajectories of the recon- 
figured process are discussed for various fault scenarios. They demonstrate that the 
approach is indeed suitable for solving reconfigurable control problems in practice. 



13.1 Pilot Plant VERA 

To test the control reconfiguration methods described in this monograph, the chemi- 
cal pilot plant VERA (German for Verfahrenstechnische Pilotanlage) at the Institute 
of Automation and Computer Control is used (Fig. ll3.lT ). The plant is used for the 
experimental evaluation of automation and control methods in a realistic, industrial 
environment. In this monograph, a thermofluid process implemented on VERA is 
used as a benchmark process. 

Its process hardware consists of 8 tanks with a complex pipe system as well as 64 
sensors and 82 actuators. Standard industrial components are used throughout the 
plant. The tanks differ with respect to their usability in processes. The educt tanks 
T1-T4 in the upper part provide raw substances or store intermediate products. They 
are connected to reactors TB, TM and TS located below via pipes. The reactors 
TB and TS are equipped and instrumented for performing exothermal as well as 
endothermal reactions. Reactor components comprise stirrers, heaters, coolers and 
various sensors. The tank TM is exclusively assigned to blending or storage tasks. 
Waste water is stored in the tank TW. 

To control the medium flow, discrete cut-off valves, continuous control valves 
(all pneumatically driven), electrical centrifugal pumps and a pneumatically driven 
membrane pump are available. By means of numerous sensors, physical quantities 
such as level, flow, temperature, electrical conductivity and pH- value are measurable 
at locations of interest. 

Plant automation, control and supervision are based on two industrial program- 
mable logic controllers (PLCs) of the type SIMATIC S7-300, which host a plant 



J.H. Richter: Reconfigurable Control of Nonlinear Dynamical Systems, LNCIS 408, pp. 203 
springerlink.com © Springer- Verlag Berlin Heidelberg 



228. 
20T1 



204 



13 Fault-Tolerant Control of a Thermofluid Process 




Fig. 13.1 Chemical pilot plant VERA at the Institute for Automation and Computer Control 
in Bochum. 



protection system B85I1 as well as subordinate control loops, and provide an inter- 
face to rapid control prototyping software. Rapid control prototyping is based on 
MATLAB and Simulink, while process monitoring and manual operation are pro- 
vided by Simatic WinCC software, each implemented on dedicated workstations. 
The connection between MATLAB and the PLCs is a custom solution described in 
II59I . 16011 that is based on the internet standard protocol UDP over IP. 

In view of Chapter[T2l the nominal controller, the reconfiguration block, and the 
process supervision tasks are all collocated on the rapid prototyping workstation 
running MATLAB and Simulink. 
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13.2 Thermofluid Process 
Process Description 

The thermofluid process illustrated in Fig. 113.21 is implemented on the pilot plant 
VERA. This process is used for evaluating the practical usefulness of the control 
reconfiguration methods developed in this monograph. The process purpose neces- 
sitates the regulation of 

• fluid level Ijs , 

• temperature §j$, and 

• electrical conductivity vxs 

of a salt water solution in the reactor TS. In the nominal situation, three decentralised 
main control loops solve this task, which use the actuators best suited for solving 
the respective control task. 

The electrical conductivity vxs is regulated to its setpoint r v js = 2.1 mS/cm by 
means of the control valve ujb, which manipulates the salt water mass flow rate 
mxB from reactor TB to reactor TS and has an actuation range mtb £ [0,1]. The 
electrical conductivity of the liquid in TB is vtb = 4 mS/cm. The desired electrical 
conductivity in reactor TS results from blending the salt concentrate from TB with 
cold water at the mass flow rate mew, which is manipulated by means of the control 
valve input mcw via a subordinate control loop. The setpoint is nominally fixed 
to 0.04 kg/s, but potentially variable, so that the controlled cold water supply is 
viewed as an actuator mcw- The level Zjs is kept at its setpoint r/j-s = 0.335 m 
using the variable speed wps of the pump PS with the actuation range ups e [0,1], 
which empties the reactor TS into the waste-water tank TW. The temperature #ts is 
regulated to the setpoint r^xs = 25 °C using the electrical heater input M e i,TS and the 
actuation range w e i,TS G [0,1]. The control valve mjm for controlling the mass flow 
rate ihjM remains closed in the nominal process. It provides access to the redundant 
source of salt concentrate in the reactor TM. Redundancies are described in more 
detail below. 

Two further subordinate control loops keep the levels in the salt concentrate tanks 
TB and TM constant at Ztb = 0.41 m and /tm = 0.31 m by means of top up from 
educt tanks. The temperature in TB is furthermore regulated to the fixed setpoint 
#tb = 25 °C using the heater input w e i,TB in the reactor TB in order to compensate for 
the cooling in the unheated educt tanks. These subordinate loops are only auxiliary 
to the process of interest. They enable longer process operation, which is limited 
due to the finite tank capacities. 

This process has been used to evaluate th e linear virtual actuator 1 1771J178 1 , and i t 



has been used in several student projects fll. n^ . [l^[T^ . [l^[T6"2l ll88 [ |l90 l l218ll. 



In the prior simulations and experiments, it was found that linear virtual actuators 
are capable of successful reconfigurable control only for a very limited number of 
the possible actuator fault scenarios. Models of the thermofluid process and nominal 
controllers are discussed in the following sections. Afterwards, the nominal control 
scheme and the fault scenarios are defined. 
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Fig. 13.2 Flow diagram of the thermofluid process with redundant components. 



Process Models 



In this section the process models are described. The structure of the nonlinear state- 
space model is given, and the complete linearised state-space model is provided. The 
complete nonlinear model with physical parameters is given in Appendix lE.il The 
nonlinear m odel and it s linear approximation have been derived in 1 18811 and first 
published in 11 771 1 17811 . The piecewise affine model was derived from the nonlinear 
model in Jl|]. 

Nonlinear state-space model. The nonlinear state-space model of the form ( 13.2I > is 
based on the following definitions of the state x(t) € R 7 , the input u c (t) e R 6 , the 
disturbance dit) e R, and the output y(t) e R 4 : 



13.2 Thermofluid Process 
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Instead of the electrical conductivity vxs, the added salt concentration cj$ is used as 
a state variable, which is connected with the electrical conductivity via a static rela- 
tionship. Further state variables are xqw, *ei,TB und jr e i,TS representing the dynamics 
of actuation systems with first-order delay character. The disturbance represents un- 
modelled and unknown variations of the salt concentration in the supply container 
TB. The model has the form (13. 21 ). which is the basis for the derivation of a linearised 
perturbation model around the nominal setpoint, as well as a piecewise affine model. 

Linear model. A linearisation of the nonlinear state-space model ( 13.21 ) around the 
equilibrium given in Table IE. 2l of Appendix IE. ll leads to a linear state-space model 
with the matrices 
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The system matrix has the stable eigenvalues shown on the diagonal of matrix A 
given in Equation ( 113.11 1. 

The linear state-space model is a much simplified process representation that 
naturally neglects any nonlinearities. The most relevant nonlinearities are actua- 
tor saturations, followed by quantisation of sensor measurements and actuator in- 
puts, and dead time. The quantisation scheme of control valve inputs is furthermore 
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nondeterministic in reality. Near the equilibrium, the linear model is valid up to 
saturations, minor quantisation effects, dead zones and delays. 

Hammerstein-Wiener model. The Hammerstein- Wiener model ( 15. U for the ther- 
mofluid process has the same linear dynamics as the linear model derived in the 
previous section, augmented by the actuator constraints that are modelled as satura- 
tions of the input signals at lower bounds u and upper bounds u, defined relative to 
the linearisation equilibrium point in Table II 3. Tl 



Table 13.1 Thermofluid process actuator constraints expressed as lower and upper saturation 
bounds relative to the linearisation equilibrium. 



Actuator 


Lower bound u 


Upper bound u 


mtm 





1 


"tb 


-0.16 


0.84 


"el.TB 


-0.0007 


0.9993 


«el,TS 


-0.6 


0.4 


«CW 


-0.04 


0.06 


«PS 


-0.53 


0.47 



Piecewise affine model. A PWA model of the form ( 19.lt has been derived from the 
nonlinear model of the form ( 13.2b . More precisely, the nonlinear model is of the 
input-affine form 



x{t) = f(x(t)) + g(x(t))u(t) + B d d(t) 
y(t) = Cx(t) 
z(t) =C z x(t), 



(13.2) 



where the input gain g(x) depends nonlinearly on the present state. Since the theory 
of PWA reconfiguration blocks developed in this monograph requires continuous 
vector fields, a constant approximation of the term g(x) is necessary. Therefore, the 
matrix B used in the PWA model ( 19.1b is taken as the Jacobian evaluated at the 
typical operating point of the process, as it was described in Chapter l4~Tl 

The states Jtcw, *el,TS> an d ^el.TB of the thermofluid process are governed by 
linear dynamics, it is not necessary to approximate the corresponding part of the 
model. For this reason, the state was split into a linear part and a nonlinear part, 
which are in series interconnection, where the output of the linear part is the input 
of the nonlinear part. Only the state set corresponding to the nonlinear part was 
approximated by PWA dynamics. This part was split into 48 simplices that cover 
the cube 10 °C < # T s < 40 °C, m < / T s < 0.4 m, 0.4 mS/cm < v T s < 4.5 mS/cm, 
and 10 °C < $tb < 40 °C. The entire PWA model was obtained by composing the 
linear part (three states) and the approximation of the nonlinear part (four states). 
Consequently, the overall state-space partition does not consist of simplices but of 
more general polytopes. The complete PWA model is given in Appendix IE. 21 
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Nominal Controller 

A decentralised control scheme is applied to solve the control task for the nominal 
process. Three proportional-integral (PI) controllers 



«TB (0 = Al/>(>y,TS (0 - vts (0) + ki (r v j S (t) - v T s (T))dr 

Jo 

Mel,Ts(0 = kp(r#,T S (t) - #Ts(0) + h I (^,Ts(t) - #Ts(T))dT 

Jo 
ups(i) = k P (rijs(t) - hs(t)) + ki 0/,ts(t) - /ts(t))c1t 



with distinct proportional gains kp and integral gains kj are employed for the re- 
gulation of vts, 'ts and #js, where r(.) denotes the respective reference signal. All 
controllers operate at a fixed sampling time of 200 ms. 

The controller parameters given in Table IT3T21 were obtained from initial tuning 
using the nonlinear process model, followed by fine-tuning on the physical process. 
The setpoint following requirement motivates the use of PI controllers, whereas the 
tuning aims at fast response with little overshoot. The design procedure reflects com- 
mon practice in industry, where decentralised controllers are preferred over coupled 
controllers for ease of tuning and maintenance, whenever the process allows such 
control strategies. 



Table 13.2 Parameters of the nominal controllers. 



Loop 



Electrical conductivity vts 
Level Zjs 
Temperature i?xs 



kp k[ 



30 0.1 

-25 -0.15 

2 0.025 



The behaviour of the nominal control loop after an increase of the setpoints for 
the temperature #ts at t — 300 s, the fluid level Zjs at t = 250 s, and the electrical 
conductivity vts at t= 200 s is shown in Fig. 113.31 The figure shows a simulation, 
where a detailed nonlinear model is used to represent the process. The upper three 
axes show the process outputs, while the lower axes represent the inputs. The new 
setpoints are reached quickly by moving the heater w e i,TSj th e pump ups, and the 
valve mjb- In this and in all following figures, grey boxes symbolise hard constraints 
on the fluid level imposed by the heating rods, which are forbidden to operate in dry 
condition, and by the reactor height. 

13.3 Fault Scenarios and Redundancy 

Several fault scenarios are used in the sequel to test the control reconfiguration meth- 
ods by means of virtual sensors and virtual actuators. Actuator faults are denoted by 
f a , whereas sensor faults are denoted by f s . 
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Fig. 13.3 Nominal experimental process response to setpoint changes for temperature i?xs> 
level Ijs, and electrical conductivity vxs- 
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Actuator Faults 

Each actuator fault represents a complete failure of at least one actuator, such that 
for any fault, at least one of the nominal control loops for vxs, #ts> or hs is broken. 
All actuator faults occur abruptly at time tf - 210 s in all experiments and remain 
active thereafter (permanent, non-transient faults). To assure that the results are in- 
formative with respect to the reconfiguration success, each experiment involves a 
setpoint change that requires using the respective failed actuator. 

The first actuator fault is a blockage of the valve «tb at the equilibrium point, 
which is represented by the new input matrix: 

f a \ : wtbO > tf) = mtb, B f i = (*i bi b 4 b 5 b 6 ) . 

The nominal loop for the electrical conductivity vxs is broken, because the inflow 
rate to reactor TS from the reactor TB cannot be manipulated any more. This fault 
is realistic because most of the time, the valve operates near its equilibrium, unless 
disturbances have to be compensated. Furthermore, many technological valves have 
fail-safe positions for which the equilibrium values can be chosen. 

The second actuator fault is a failure of the heater w e i,TS at the equilibrium, which 
is described by the following matrix: 

fal ■ "el,TS(? > tf) = Mel,TS, B f2 = [b\ b 2 #3 b 5 Z> 6 ) . 

Since the temperature control loop uses the heater in the reactor TS, the control of 
the temperature #xs is ineffective after the fault f 2 occurs. Failure at the operating 
point means that neither can further heater elements be switched on nor can operat- 
ing ones be switched off. The latter scenario occurs when relays get stuck in closed 
position. 

The third actuator fault is a failure of the pump speed control loop while the pump 
speed Mps is at the equilibrium, 

fed ■ ups(t > t f ) = u PS , B fi = [b\ b 2 fa b 4 b 5 0) . 

The outflow from the reactor TS is fixed after this fault, and the nominal level con- 
trol loop is broken. The technological representation of this fault is a failure of the 
pneumatic control valve which determines the pump velocity, while the pump runs 
at its equilibrium speed. All further actuator faults are combinations of the previous 
faults. 

The fourth actuator fault is a combination of the heater failure f a2 and the pump 
failure / a3 , 

faA '■ Wel,TS(/ > tf) - ft e i,TS. m ps0 > tf) = Ups, B f4 ={b\ b 2 bj, b 5 0J . 

The fifth actuator fault is a combination of the valve failure f a \ and the pump failure 
fdi, 
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fa5 ■ «Tb(« > tf) = u JB , ups(t > tf) = mps, B f5 =(*i0i 3 ft 4 #5 0) . 
The sixth actuator fault is a combination of the valve failure f a \ and the heater failure 

fal, 

fat ■ WTfiO > tf) = Uj B , W e l,TsO > tf) = S e l,TS. Bf6 = (*1 Z> 3 ft 5 ft 6 ) . 

The seventh actuator fault is a combination of all three main actuator failures f a \, 
f a %, and/o3, 

fal ■ WTfiO > tf) = U TB , W e l,TsO > tf) = S e l,TS. "PS(^ > tf) = tips, 

Bfj = (bi 0b 3 0b 5 0). 

The eighth and last actuator fault is a combined failure of both valve mjb (fal) an d 
the redundant valve ujm 

faS ■ MtbO > tf) = Uj B , U TM (t > tf) = Uj M , Bfg - (0 Z» 3 Z> 4 *5 h) ■ 

One actuator redundancy is the additional but not identical salt concentrate reservoir 
in the reactor TM with an electrical conductivity of vtm = 4.5 mS/cm and a temper- 
ature of i?tm = 24.5 °C. The concentrate is accessible for TS via the control valve 
m tm, which remains closed during nominal process operation. Further available re- 
dundant actuation components are the heater with control input w e i/rB in the supply 
tank TB, and the cold water supply through valve mcw- In particular, the valve mcw 
shows a marked nondeterministic quantised behaviour, hence it is best-suited for 
constant position operation. 



Sensor Faults 

The considered sensor faults are single failures of sensor that measure the regu- 
lated variables, namely the fluid level /js, the fluid temperature i?ts, and the fluid 
electrical conductivity vxs- 

The first sensor fault is a failure of the sensor for the temperature #ts, 

fsi :yi(t> tf) = 0, C/i = (0 c\ c\ c T 4 f , 
the second sensor fault is a failure of the sensor for the level /ts, 

f& ■■ yi(t > t f ) = o, c f 2 = (c\ o c\ c T 4 ) T , 

and the third sensor fault is a failure of the sensor for the level vjs, 

fa ■ yiO > tf) = 0, C/3 = (c[ c\ c T 4 f . 

The fault diagnosis task is assumed to be perfectly solved throughout the study, 
as far as detection and isolation are concerned. The fault isolation event triggers 
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the model-based design of the virtual actuator and virtual sensor, respectively, to 
reconfigure the control law in response to the faults according to one of the recon- 
figuration algorithms. Subsequently, a virtual actuator or virtual sensor is activated 
by replacing its inactivity parameters with newly designed ones. 



13.4 Reconfigurability Analysis 

This section presents the results of a comprehensive reconfigurability analysis for 
the thermofluid process. Although the real plant exhibits nonlinear behaviour, it 
is helpful to include the linear conditions into a comprehensive reconfigurability 
analysis for two reasons. 

First, they are necessary and sufficient, and therefore crisp conditions, and the 
violation of such a condition implies that the reconfiguration is not even possible lo- 
cally around the chosen equilibrium. The practical system, which might deviate con- 
siderably from the equilibrium neighborhood, is unlikely to be easier to reconfigure 
than its linear model. In summary, the linear conditions are particularly informative 
when they provide negative answers to the question whether or not a reconfigura- 
tion problem is solvable. Second, linear conditions are easy to check, and they are 
readily available, usually in a numerically stable way. 

However, if linear conditions are satisfied, this result bears limited information 
about the true plant with nonlinear dynamics and input constraints. For this reason, 
a thorough reconfigurability analysis also checks sufficient reconfigurability con- 
ditions obtained from the nonlinear reconfiguration approaches. In the case where 
they are not satisfied, it is unknown whether or not suitable reconfigured controllers 
exist, since the conditions are only sufficient. 



Linear Reconfigurability Analysis 

Actuator faults. Table ll3.3l shows the solvability of the linear reconfiguration prob- 
lems for all defined actuator faults along with the used conditions for deciding the 
solvability of the problems. The table shows that stability can always be achieved, 
which is not surprising since the process is open-loop stable. The process also has 
sufficient redundancy so that the setpoint tracking property can be recovered after 
every fault. 

However, the exact performance recovery goal can only be attained after fault f a i, 
namely after heater failure. This fact has a clear physical interpretation. The heater 
control signal affects the fluid temperature in the reactor TS through first-order de- 
lay dynamics. The alternative ways to achieve the same effect consist in changing 
the cold-water inflow mcw, which also has first-order delay dynamics, as well as the 
heater w e i,TB in the tank TB, which likewise has first-order delay dynamics. There 
exists sufficient redundancy to independently influence temperature, level, and elec- 
trical conductivity with nominal performance. In all other fault scenarios, the ac- 
tuators that fail have a more direct influence on some controlled variable than any 
possible replacement actuators. For example, the pump has a direct effect on fluid 
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Table 13.3 Linear reconfigurability analysis for thermofluid process subject to actuator 
faults. 



Goal Problem Condition 


faX 


fa2 
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faA fa5 fat 


fal 


faS 


Stability recovery |4jJ <|4.53| 
Setpoint tracking recovery 14.21 (14.54b 
Exact Derformance recovery 14.31 (14.55b 
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Legend: •/: solvable; x: not solvable. 



level, and a redundant level actuation consists in the combined actuation of cold 
water and salt concentrate inflows. The cold water supply is, however, governed by 
first-order delay dynamics. 

Since exact performance recovery is not solvable in most fault cases, the optimal 
performance recovery is analysed. Figure [T3~4"l illustrates the solvability of optimal 
performance recovery (Problem l4.5l l. The figure shows numerical Pareto fronts on 
a logarithmic scale obtained from solving 100 different values for A e [0, 1] for each 
fault case. The shown achievable //oo -norms have been computed using the LMI 
solver Sedumi 1.1. The convex curved fronts represent fault cases without numerical 
problems. Scattered clouds or non-convex curves indicate numerical problems. 




Fig. 13.4 Achievable //«, -norms on input amplification and output error for linear model of 
thermofluid process subject to actuator faults. 



13.4 Reconfigurability Analysis 215 

In spite of the numerical problems, the diagram has an interesting interpretation 
in terms of reconfigurability analysis. Pareto fronts that lie in the lower-left corner 
of the diagram promise better reconfiguration success: they permit better output 
trajectory recovery at less input amplification than upper-right curves. The notation 
fk < fi means that fy is easier to reconfigure than /;. With this notation, it is easy to 
see from Fig. [1141 that f a3 < f a \ < f<a < faA < faf, < fa5 < fal < fa%- As intuitively 
expected, all single-actuator faults (f a \,fa2,fai) are easier to reconfigure than the 
two-actuator-faults (f c ,4,fa5,fa6,fas)- However, the triple-actuator fault f a j is easier 
to reconfigure than the two-actuator fault f a %. The latter fault falls out of the fault 
pattern in the sense that the failing actuator ktm is a redundant actuator, whereas all 
other faults only concern main actuators. Apparently, the failure of both valves that 
control salt concentrate inflow makes the control of electrical conductivity difficult. 

The diagram has a further interesting interpretation relevant for the design of 
new plants. For some fault cases, the corresponding set of points is far spread out 
through the diagram, ranging over several orders of magnitudes. This means that the 
choice of the weight A, being the free parameter of the reconfiguration algorithm, 
has strong influence on the reconfiguration result. For example, the set of points 
associated with fault f a *i spans two orders of magnitude in y u and one order of 
magnitude in y z . Thus, the parameter A has strong influence on both the output error 
and the required control effort, and a careful balancing of these contradicting goals 
is required. On the other hand, the fault f a \ spans only a fraction of an order of 
magnitude in y u , but three orders of magnitude in y z , so it is reasonable to put more 
weight on the performance index y z without considerable increase in control effort. 
In summary, the example shows that the weight A should depend on the fault case 
in practical applications. 

Sensor faults. Table [1X41 shows the solvability of the linear reconfiguration prob- 
lems for all defined sensor faults. Stable reconfiguration is always achievable, 
whereas tracking recovery in the presence of the disturbance on the electrical con- 
ductivity is only possible after the failure of the temperature sensor (f s \) and after 
the failure of the level sensor (f S 2)- After a failure of the sensor for the electrical 
conductivity (/ S 3), the disturbance effect acting on the electrical conductivity can- 
not be detected and separated any longer, therefore the setpoint tracking recovery is 
not solvable. Exact performance recovery is only possible after failure of the level 
sensor (fsi)- 



Table 13.4 Linear reconfigurability analysis for thermofluid process subject to sensor faults. 



Goal Problem Condition 



Stability ~~14~T1 (I4.3H 

Setpoint tracking |4j2| (l4~32b 

Exact performance recovery 14.31 ( 14.33b 

Legend: ■/: solvable; x: not solvable. 
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Fig. 13.5 Achievable H&, -norms on input amplification and output error for linear model of 
thermofluid process subject to sensor faults. 



Since exact performance recovery is only achievable in one sensor fault case, 
the solvability of optimal performance recovery is also investigated. The achievable 
//co-norms for various weights A to solve Problem 14.51 according to Theorem 14.71 
are shown in Fig. 113.51 The analysis shows that although only the fault case fa 
permits exact performance recovery, the recovery can be much better approximated 
in the fault cases / s i as well as fa than in the fault case /&. The fault case f s $ turns 
out to be the most problematic sensor fault case with respect to the influence of 
disturbances and noise on the observation error. Taking into account the logarithmic 
scale, the fault case /# can be considered to be not reconfigurable in practice. 

The figure also shows that the achieved performance depends much less on the 
weight A than in the actuator case. Therefore, little attention has to be paid to the 
choice of the weight, in any fault case. 



Hammerstein-Wiener Reconfigurability Analysis 

Actuator faults. Since the matrix A for the thermofluid process is Hurwitz, it is 
not surprising that the LMI (16.8b is feasible for every actuator fault case f a \ through 
f a g,, and that the LMI ( 16.111 1 is feasible for every sensor fault case f s \ through fa. 
Figure [T3~6l shows the achievable solutions of Theorem [O] for varying weight A e 
[0,1]. The figure shows similar characteristics as Fig. 113.41 up to certain differences 
in the position, spread and ordering of the point sets. The partial order of the actuator 
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Fig. 13.6 Achievable //co-norms on input amplification and output error for linear subsystem 
of saturated thermofluid process subject to actuator faults. 



fault reconfigurability is f a3 < f a \ < f a 2 < fa5 < faA < fa6 < fai < fas- In particular, 
the single-fault cases f a i,fa2,fa3 are still easier to reconfigure than the multiple 
actuator faults. In general, the achievable performance is worse than in the linear 
case (compare Fig. ll3.6l to Fig. 113. 41 . This result is not surprising, since the solutions 
are restricted to maintaining stability in the presence of actuator saturations. 

Sensor faults. The reconfigurability situation after sensor faults is the same as in 
the linear case, since no nonlinear output function is modelled in the thermofluid 
process. Therefore, the dynamics of the observation error is the same as in the linear 
case. 



Piecewise Affine Reconfigurability Analysis 

Actuator faults. In the analysis of the reconfigurability after actuator faults, it is 
assumed that the state of the faulty plant is measurable, so that no virtual sensor is 
needed and the conditions describing its synthesis are ignored. In the case of piece- 
wise affine systems and pure actuator faults, the reconfigurability analysis amounts 
to verifying the satisfiability of the LMIs ( 110.13b with regard to the stability re- 
covery, and the LMIs (111.231 1 with regard to the stability and tracking recovery. 
Table 113.51 summarises the solvability with regard to stability recovery and track- 
ing recovery for every fault case. Reconfigurability is given for every actuator fault 
scenario and for both goals. 



218 13 Fault-Tolerant Control of a Thermofluid Process 

Table 13.5 Piecewise affine reconfigurability analysis for thermofluid process subject to ac- 
tuator faults. 

Goal Problem Condition f ai f a2 f a i f a 4 f a 5 fa6 fal faS 



Stability recovery ~~l9T1 dl0.13b 

Setpoint tracking recovery 19.21 < l 1 1 .231 ) 

Legend: Y: solvable; x: not solvable. 
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13.5 Reconfiguration Applications 

Hammerstein Virtual Actuator 

This section describes applications of the Hammerstein-Wiener virtual actuator pre- 
sented in Chapters|5H8]to the reconfigurable control of the thermofluid process after 
actuator faults. The stability results of Chapter[6]are the basis of all simulations and 
experiments. In practice, the thermofluid process is very sensitive to fluid level de- 
viations, since the band of admissible fluid levels is thin due to constraints given by 
heating rods and danger of overflow. This situation makes the reconfigurable control 
problem very hard to solve in practice. Of all synthesis methods for the saturated vir- 
tual actuator, the optimal performance recovery technique developed in Chapter[8]is 
best capable of successful reconfiguration such that the tight physical bounds of the 
plant are not exceeded in most fault cases. This result appears because the chosen 
synthesis method allows an explicit tradeoff between input amplification and output 
recovery, because it considers not only the equilibrium but also the transients, and 
because different weights can be attributed to the different outputs. 

All forthcoming simulations are based on a detailed nonlinear model of the ther- 
mofluid process. All simulations and experiments are based on Algorithm [O] ap- 
plied with differing tradeoff parameters A and differing weight matrices Q that define 
relative priorities between fluid level Ijs, temperature i?xs, and electrical conductiv- 
ity y TS . The common setting A = 0.3 and Q = It, provides stability and the satisfaction 
of the process constraints in the fault cases f,i,fa2,fa3,fa5,fa7- In the fault cases f a n 
and f a (, that include heater failure, the fluid level overflows the reactor. For this rea- 
son, and to improve performance in the other fault cases, adaptation of the synthesis 
parameters A and Q occurs in the below results. In order to limit the space required 
for the presentation of the results, only the experimental results for the actuator fault 
scenarios f a \ and f a s are shown. 

Valve failure. The simulated reconfigured closed-loop response after valve failure 
(fal) with a saturated virtual actuator (17.5b is shown in Fig. 113. 71 The virtual actuator 
design uses multiobjective synthesis with A = 0.7 and Q - h. The virtual actuator 
gains that are obtained from Algorithm [8J] are 
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The upper three axes show the controlled outputs, which reach their setpoints. Fur- 
themore, for all three output variables, the transient response shows little overshoot 
and transient dynamics that are adequate compared to the given dynamics of this 
process. The lower six axes show the control inputs Uf acting on the faulty plant 
in black and the control inputs u c given by the nominal controller in grey. Thus, 
the influence of the virtual actuator is clearly visible. The heater w e i,TS repeatedly 
reaches its saturation bounds, nevertheless the process is stable. The other inputs 
remain well within their given saturation bounds, which is a consequence of the 
good damping imposed by the passivity condition that is embedded into the synthe- 
sis. The experimental results obtained with the saturated virtual actuator synthesised 
based on the same values for the design parameters A and Q are shown in Fig. 113.81 
The experiment qualitatively confirms the observations made about the simulations. 
From now on, only experiments are shown where available. 

Valve and pump failure. The experimental reconfigured closed-loop response after 
valve and pump failure (f a s) using a saturated virtual actuator (17.5b is shown in 
Fig. 113.91 The virtual actuator design uses multiobjective synthesis with A - 0.5 
and Q - diag(0.1 1 0.1). The virtual actuator gains that are obtained with this from 
Algorithm 18.11 are 
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The controlled outputs shown in the three upper axes are all stable. The temperature 
and fluid level attain their setpoints, whereas the electrical conductivity exceeds its 
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Fig. 13.7 Simulated reconfigured closed-loop response after valve failure (f a \) with saturated 
virtual actuator using multi-objective synthesis. 
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Fig. 13.8 Experimental reconfigured closed-loop response after valve failure (f a \) with sat- 
urated virtual actuator using multi-objective synthesis. 
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Fig. 13.9 Experimental reconfigured closed-loop response after valve and pump failure (f a $) 
with saturated virtual actuator using multi-objective synthesis. 
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setpoint. The transient response is smooth and well-damped. The experiment shows 
that the virtual actuator is sufficiently robust for stabilising the process in spite of 
unmodelled nonlinear dynamics. The only control input that reaches its saturation 
bounds is the electrical heater K e i,TS- All other control inputs show small variations 
over the used time interval. 



Hammerstein-Wiener Virtual Sensor 

This section describes applications of the saturated virtual sensor presented in Chap- 
ter|6]to the reconfigurable control of the thermofluid process after sensor faults. The 
stability results of Chapter [6] are the basis of all simulations and experiments. All 
simulations use the detailed nonlinear model to represent the process. 

Temperature sensor failure. The experimental reconfigured closed-loop response 
after the failure of the temperature sensor in the reactor TS (f s \) is shown in 
Fig. 113.101 The virtual sensor design based on multiobjective synthesis with A = 0.5 
results in the output error injection gain 



L = 



The virtual sensor stabilises the closed-loop system, as the solvability conditions 
promise. The state estimate for the temperature #ts is biased by about 1 K. Alto- 
gether, the process remains stable, the fluid level /xs and the electrical conductivity 
vxs attain their setpoints, and the temperature stays very close to its setpoint. The es- 
timation offset is due to model errors that enter the estimation error as disturbances. 

Level sensor failure. The simulated reconfigured closed-loop response after the 
failure of the level sensor in the reactor TS {f S 2) is shown in Fig. 113. Ill The virtual 
sensor design uses multiobjective synthesis with A - 0.3 and results in the output 
error injection gain 
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The saturated virtual sensor stabilises the closed-loop system, as the solvability con- 
ditions promise. The fluid level is, however, estimated with a slight steady-state off- 
set of about 2 cm. Still, the estimate is sufficiently accurate to keep the true outputs 
sufficiently close to their setpoints. 
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Fig. 13.10 Experimental reconfigured closed-loop response after failure of temperature sen- 
sor for reactor TS (f s i) with saturated virtual sensor using multi-objective synthesis. 
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Fig. 13.11 Simulated reconfigured closed-loop response after failure of level sensor for re- 
actor TS (fs2) w i m saturated virtual sensor using multi-objective synthesis. 
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Piecewise Affine Virtual Actuator 

Valve failure. The application of the PWA virtual actuator to the failure of the valve 
«tb that governs the inflow of salt concentration from the container TB is shown 
as a simulation in Fig. 113.121 The simulation uses the detailed nonlinear model to 
represent the process. In variation of the original definition of the fault f a \ , the valve 
fails in completely closed position. The blockage compensation condition ( 19.9b is 
not satisfied. Although the valve ujm opens the way to fluid with the same salt 
concentration in the container TM, that fluid also has a slightly different effect on 
the temperature §j$ than the fluid in the container TB. Obviously, the cold water 
inflow mcw also affects the temperature. In summary, the blockage of the valve «tb 
cannot be directly compensated by means of an addition to the affine terms. 

Nevertheless, the upper three axes of Fig. [T3. 121 show that the PWA virtual actu- 
ator achieves satisfactory reconfiguration in the sense that all three controlled out- 
puts are stable, the temperature and electrical conductivity reach their setpoints with 
good transients. Only the fluid level repeatedly reaches its lower safety bound and 
its mean value deviates slightly from its setpoint. In other words, stable setpoint 
tracking is achieved, and sufficient performance is achieved so that the transient 
response exhibits acceptable overshoot and oscillations. Indeed, the PWA virtual 
actuator undergoes switching between several different modes. 

The closed-loop system that consists of the faulty plant, the virtual actuator, and 
the nominal controller has been modified with respect to Fig. 1 11. li as follows. First, 
the real process is subjected to constraints on the inputs. Although these constraints 
are not part of the framework developed for PWA virtual actuators, it is advanta- 
geous in practice to constrain the control inputs Uf that are outputs of the PWA 
virtual actuator. Furthermore, the PWA virtual sensor was not used, since all pro- 
cess states were assumed to be measurable. The computation procedure for the 
gains M and Mj consists of Algorithm 111.11 extended by means of performance 
elements in the form of an upper bound on the //co-norm of the PWA virtual actua- 
tor from u c to Uf and from u c to za- With these technique and the weights A - 0.7 
and Q - diag(0.1 1 0.1), the gains 
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Fig. 13.12 Simulated reconfigured closed-loop response after valve blockage in closed posi- 
tion (modified f a \) with piecewise affine virtual actuator using tracking-recovering synthesis. 
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are obtained. The effect of these feedback gains is visible in the lower six axes of 
Fig. 113.121 The blockage position of the valve «tb is clearly visible. Apparently, 
the valve mjm to the spare salt container serves as the main replacement, with con- 
tributions of the cold water supply valve uqw- The pump rate is adjusted to fit the 
reduced throughput that results from the fault and reconfiguration. 

In summary, the simulation demonstrates the adequateness of the PWA virtual 
actuator for reconfiguring systems described by PWA or approximately PWA dy- 
namics. Further improvements of performance are likely to be achievable by further 
investigating the appli cation of optimal control theory for PWA systems to PWA 



reconfiguration blocks 1 16511 



13.6 Summary and Discussion 

This chaper has summarised a selection of simulations and experiments of success- 
ful applications of saturated virtual actuators, saturated virtual sensors, and PWA 
virtual actuators to a thermofluid process. The shown sample applications demon- 
strate that practical applications of the fault-hiding paradigm to fault-tolerant control 
problems are feasible. In particular, successfully reconfiguration has been achieved 
in fault cases that cannot be solved based on linear virtual actuators. 

Especially in the case of the saturated virtual actuator, additional simulations and 
successful experiments for further fault cases have been achieved. Reconfiguring 
additional sensor fault cases is difficult, since the failure of the fluid temperature and 
fluid level sensors prove to be sufficiently difficult both in terms of reconfigurability 
analysis and in terms of experiments. 

On the other hand, the PWA virtual actuator and the PWA virtual sensor have so 
far only been tested in simulations. Their experimental evaluation on the thermoluid 
process is an open aspect for further investigation. 



Chapter 14 
Conclusion 



Abstract. This chapter summarises the contributions of this monograph to recon- 
figurable control theory and describes open problems for future research. 



14.1 Summary 

The goal formulated in the introduction consisted in extending the linear fault- 
hiding approach to reconfigurable control towards two classes of nonlinear systems, 
namely towards Hammerstein- Wiener systems and piecewise affine systems with 
more than two modes. The reconfiguration solutions were supposed to address com- 
bined actuator and sensor faults, to encompass stability, tracking and performance 
properties, to be found by autonomous algorithms, and to be robust against uncertain 
diagnostic results. These goals have been achieved. 

Part I of this monograph has defined and explained the reconfiguration problem 
in terms of general nonlinear system models. The general structure of fault-hiding 
solutions was defined as being a combination of a nonlinear virtual sensor for coun- 
tering sensor faults and a nonlinear virtual actuator for countering actuator faults. 
Key properties of the fault-hiding solution have been stated independently of any 
particular subclass of nonlinear systems. The problems of stability recovery, setpoint 
tracking recovery, exact performance recovery, and optimal performance recovery 
were defined, and their solutions for linear systems were summarised. It was noted 
that the linear reconfiguration blocks are universal solutions to the linear reconfigu- 
ration problems. 

Parts II and III have described the extensions to Hammerstein- Wiener systems 
and piecewise affine systems, that have been indeed completely achieved. The con- 
tributions consist in Hammerstein- Wiener and piecewise affine generalisations of 
virtual sensors and virtual actuators, as well as solutions to the stability recovery 
and setpoint recovery problems. A solution to the optimal performance recovery 
problem has been provided for the practically particularly relevant class of saturated 
systems. For each problem, sufficient solvability conditions are available that per- 
mit a reconfigurability analysis. In particular, the Hammerstein- Wiener framework 



J.H. Richter: Reconfigurable Control of Nonlinear Dynamical Systems, LNCIS 408, pp. 229+232J 
springerlink.com © Springer- Verlag Berlin Heidelberg 2011 



230 14 Conclusion 

explicity includes the presence of input saturations. The price paid for the exten- 
sion to nonlinear systems consists in the non-necessity of the obtained solvability 
conditions, since the solvability analysis leads to decision problems that are known 
to be generally undecidable from a computational perspective. Robustness against 
modelling errors has been found and demonstrated by means of running examples in 
all cases. It has been emphasised that the solutions are well-suited for autonomous 
implementation. Therefore, all specific requirements that apply to reconfigurable 
control problems have been met by the solutions. By virtue of algorithms and exam- 
ples, it has been explained in each chapter how the autonomous implementation of 
the reconfiguration blocks can be achieved. The roles of remaining degrees of free- 
dom for parameterising the algorithms for specific engineering applications have 
been explained and interpreted. 

Part IV has provided implementation details for the fault-hiding approach and 
described an experimental application example. It has been shown how the fault- 
hiding principle can be embedded into practical real-time control frameworks, and 
a prototype toolbox implementation based on MATLAB and Simulink has been 
described. An experimental example from the process control domain applied to 
a pilot plant has demonstrated the viability of the approaches for solving practical 
fault-tolerant control problems in engineering applications. The experiments stress 
the robustness of the fault-hiding approach. Potential generalised applications to the 
control of underactuated systems have been indicated. 

In summary, the problem of reconfiguring feedback control laws after actuator 
faults and sensor faults has been extensively and successfully solved in this mono- 
graph. A suitable generalisation of the linear fault-hiding framework towards nonlin- 
ear dynamical systems has been found. This generalisation has been worked out for 
Hammerstein- Wiener systems and piecewise affine systems. The class of admissi- 
ble faults has been extended, most importantly from actuator failure at the operating 
point towards blockage of actuators in arbitrary positions (piecewise affine mod- 
els), as well as towards tightened actuator saturation limits (Hammerstein- Wiener 
models). Nevertheless, several questions remain open, and new interesting problems 
have appeared, which are explained in the next section. 



14.2 Open Problems 

This monograph has entirely focussed on actuator and sensor faults that affect the 
input and output matrices of the models. However, certain classes of practical faults 
also affect the autonomous part of the plant dynamics. The extension of the fault- 
hiding approach towards internal system faults modelled by means of modified 
system matrices corresponding to the autonomous dynamics is an interesting open 
problem for all modelling approaches considered in this monograph. 

The fault-hiding framework has so far been developed only for continuous-time 
systems. However, most control applications nowadays require a digital implemen- 
tation that leads to sampled-data systems. This problem can be avoided by means 
of suitable oversampling, but this solution is limited to systems with sufficiently 
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slow dynamics. The extension of the fault-hiding framework towards sampled-data 
systems is a problem of high practical value. It is nontrivial even in the linear case, 
since in discrete-time linear systems, phenomena like dead-beat control appear that 
are not present in continuous-time systems. In the linear case, many discrete-time 
problems are expected to be solvable along the lines of the continuous-time solu- 
tions. The extension is certainly nontrivial in the nonlinear case, since no general 
approach to the treatment of sampled-data nonlinear systems is available. 

In the case of piecewise affine systems, the replacement of common quadratic 
Lyapunov functions with piecewise quadratic or polyhedral Lyapunov functions is 
an intriguing but difficult problem. As discussed in Chapter 110.31 the observation 
error associated with the piecewise affine virtual sensor must be stable for every 
discrete mode combination in the plant and the virtual sensor, and gain scheduling 
based on piecewise quadratics defined on the observer error is not feasible. However, 
it might be possible to develop a piecewise Lyapunov function approach to virtual 
actuator synthesis for the case where the plant state is measurable and where no 
sensor faults occur. In addition, the optimal performance recovery problem has not 
been considered yet for piecewise affine virtual actuators and sensors. 

Regarding nonlinear systems, the general nonlinear virtual actuators and virtual 
sensors defined in Chapter|3]can be further generalised by allowing nonlinear feed- 
back gains. Furthermore, actuator constraints have not been taken into account in 
the fault-tolerant control of nonlinear dynamical systems. It would be interesting to 
develop synthesis techniques for generalised nonlinear virtual actuators and virtual 
sensors that respect constraints on the inputs, and possibly also on the states. Such an 
approach might be developed for the class of input-affine systems based on control 
Lyapunov functions, and also for further special subclasses of nonlinear systems, 
such as Lure systems, bilinear systems, and linear parameter-varying systems. 

Furthermore, the reconfiguration framework should be generalised to two- 
degree-of-freedom control schemes. In two-degree-of-freedom control, an open- 
loop feedforward controller shapes the dynamics of the reference-to-output 
behaviour, while a feedback controller shapes the disturbance-to-output behaviour 
and provides robustness against modelling uncertainties. The feedforward con- 



trollers are, for example, based on the differential flatness property 15811 . It has been 
shown that a flatness-based feedforward controller is robust against model uncer- 
tainties and that the flatness-based control scheme can linearise the system around its 



trajectory [72]. These properties opens interesting ways for combinations of linear 
reconfiguration blocks with differentially flat nonlinear systems. The reconfigura- 
tion of feedforward controllers has not been thoroughly studied yet, but could lead 
to very interesting general reconfiguration approaches for two-degree-of-freedom 
control schemes. 

Taking a bigger perspective, industry moves towards ubiquitous and complete 
networking of all factory assets, such as actuators or sensors, by means of digital 
fieldbus networks integrated with corporate networks. This large-scale networking 
of components allows controllers to communicate with non-local and local sensors 
and actuators alike, as well as with other controllers and remote components. While 
automatic control over large-scale networks poses challenges that have led to the 
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field of networked control systems 17a . r78l 121711 . it also offers unique opportunities 



to fault-tolerant control. However, systematic methods have yet to be developed that 
permit controllers to discover the assets available in its neighborhood, to asses their 
capabilities, and to use them for achieving their purposes. This reasoning applies 
especially if the global model of the entire neighborhood of a plant component is 
not immediately available, or not known at all. In such cases, local reconfiguration 
blocks should attempt globally sensible decisions based on local information, which 
is a typical decentralised control problem. Similar problems also arise in hierarchi- 
cal and mixed decentralised/hierarchical control schemes. Their solutions require 
new theoretical methods as well as suitable modelling tools. The existing theory of 
decentralised control might provide a starting point. 

The unified treatment of fault diagnosis and control adjustment is an area of 
research that is still in its infancy. This research area is concerned with the develop- 
ment of control adjustment techniques that take explicitly into account the uncertain- 
ties that are commonly associated with fault diagnosis results. Furthermore, the fault 
diagnosis task becomes more complicated in the presence of control adjustments. It 
is possible to combine the fault-hiding approach to control reconfiguration with the 
set-theoretic ideas formulated in 1114611 in order to obtain a fully integrated acti ve 



fault-tolerant control scheme. This concept is explored for linear systems in [ 195]. 
Finally, two general questions have appeared in this monograph that are inter- 
esting beyond fault-tolerant control applications. The first question concerns con- 
ditions about the solvability of decoupling problems for general switched linear or 
switched affine systems. The second question concerns the characterisation of in- 
cremental stability conditions for nonlinear systems in terms of piecewise quadratic 
or polyhedral Lyapunov functions. These problems are of general interest, they are 
very difficult, and contributions to these questions are certainly very valuable. 
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Acronyms and Symbols 



Acronyms 

ECU Electronic control unit 

FDI Fault detection and isolation 

FTC Fault-tolerant control 

GAS Global asymptotic stability 

(5GAS Incremental global asymptotic stability 

GES Global exponential stability 

IOS Input-to-output stability 

ISpS Input-to- state practical stability 

ISS Input-to-state stability 

LMI Linear matrix inequality 

ODE Ordinary differential equation 

PLC Programmable logic controller 

PWA Piecewise affine 

PWL Piecewise linear 

PWQ Piecewise quadratic 

Fields, classes and sets 



C 
B 

c°° 

•K 

KZ 

rloc 

£2 

A 
D 



Field of complex numbers 
Field of real numbers 
Class of smooth functions 
Class of nondecreasing functions 
Class of nondecreasing unbounded functions 
Class of functions unbounded and nondecreasing in the first ar- 
gument and asymptotically decreasing in the second argument 
Class of locally integrable functions 
Class of square integrable functions 
Class of essentially bounded functions 
Polyhedron 
Delaunay partition 
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f> Polytope 

S Subspace of state space 

'V Subspace of state space 

11 Set of feasible inputs to a system 

X Set of vectors 

X Set of feasible output equilibria of a system 

Scalars and scalar- valued functions 

k Dimension of disturbance signal space 

m Dimension of input space 

n Dimension of state space 

p Dimension of controlled output space 

q Dimension of measured output space 

r Cardinality of state-space partition 

w Dimension of reconfiguration block state space 

s Complex frequency 

a Scalar real-valued function in class 7C or class TCo 

P Scalar real-valued function in class 'KH 

y Norm of a transfer function 

ft Temperature of a fluid 

k Number of independently controllable outputs of a dynamical 

system 

A Scalar weight between performance and input effort 

p Singular value of a matrix 

v Electrical conductivity of a fluid 

p Unit step function 

cr Set of eigenvalues of a matrix 

^ Heading of a vehicle 

Vectors and vector- valued functions 

a Affine term 

b Column of input matrix 

c Row of output matrix 

d Disturbance input of a dynamical system 

e Observation error 

/ Nonlinear input function 

g Nonlinear vector field 

h Nonlinear output function 

k Vector of sector bounds of nonlinear characteristic; offset vector 

in polyhedron representation 

r Reference input to a control loop 

s State of dual observer 

u Control input of a dynamical system 

x State of a dynamical system 

xa Difference state in reconfiguration block 
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y Measured output of a dynamical system 

yj Measured output difference between nominal and faulty system 

z Controlled output of a dynamical system 

Za Controlled output difference between nominal and faulty system 

£, t\ Auxiliary signals 

<p Decomposed sector-bounded function 

Matrices 

A System matrix of a dynamical system 

B Input matrix of a dynamical system 

Brf Disturbance matrix of a dynamical system 

C Measured output matrix of a dynamical system 

C z Controlled output matrix of a dynamical system 

D Feedfhrough matrix of a dynamical system 

H Matrix of normal directions defining a polyhedron 

/„ Identity matrix of dimension n 

K Static controller feedback matrix 

L Virtual sensor output error injection gain matrix 

M Virtual actuator feedback gain matrix 

N Virtual actuator feedthrough gain matrix 

P Virtual sensor feedthrough gain matrix 

Q Weight matrix 

S Diagonal matrix of inverse sector bounds 

T Similarity transformation matrix 

T(s) Transfer function matrix 

X, Y Variables of a linear matrix inequality 

Dynamical systems and dynamical operators 

27/, Nominal closed-loop system 

Elt Reconfigured closed-loop system 

Zlfh Reconfigured closed-loop system based on the fault-hiding ap- 
proach 

Ep Nominal plant 

Ep r Reconfigured plant 

Eq Controller 

Er Reconfiguration block 

Qi Nominal closed-loop operator 

Ql t Reconfigured closed-loop operator 

Qlfh Reconfigured closed-loop operator based on the fault-hiding ap- 
proach 

Qp Nominal plant operator 

Qp r Reconfigured plant operator 

Qc Controller operator 

Qr Reconfiguration block operator 
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Sub- and Superscripts 

(•) Upper bound on (• ) 

(•) Lower bound on (•) 

(•)/ Quantity in a faulty plant 

Mathematical operators 

= Equal by definition 

|| ■ ||p Vector p-norm or induced matrix p-norm 

ll-llx, -Cp-norm of signal 

II • Whcv //oo-norm of system 

rank(-) Rank of a matrix (•) 

ker(-) Kernel space of a matrix (•) 

im(-) Image space of a matrix (•) 

span(v i , . . . , vt) Linear space spanned by the vectors v\,,..,Vk 

A\V Restriction of matrix A to A-invariant subspace *V 

(A) + Pseudoinverse of matrix A satisfying all four Moore-Penrose 

equations 

(A)^ Right inverse of matrix A satisfying AA^ =I,A^= A T (AA T )~ l 

(A)$ Left inverse of matrix A satisfying A* A — I, A^ — (A T A) -1 A T 

>, < Positive definite, negative definite 

• Symmetric entry or block in a symmetric matrix 



Appendix B 

Glossary of Fault-Tolerant Control 



The following notions are widely used in the literature on fault-tolerant control. In 
spite of their wide-spread use, different definitions are available for several of the 
notions, in particular for dependability. The definitions given here follow the recent 



monographs on fault-tolerant control 12 ll 18311 . but c an be traced back to the fields of 



operations research and dependable computing l79Lll6411 . 



Availability is the probability that a system is operational when it is needed. Avail- 
ability is influenced by maintenance strategies, whereas reliability is independent of 
maintenance strategies. 

Dependability denotes the combination of safety, reliability, and availability. 

Failures denote a condition of a system or a component of a system that entirely 
ceases to perform its function. Failure are special types of faults. Every failure is a 
fault, but not vice versa. 

Faults denote a condition of a system or a component of a system that cannot fully 
perform the function any longer that it is designed for. Fault have location, strength, 
and temporal behavior. This monograph only concentrates on the location (specific 
actuators and sensors) and considers faults that remain effective for ever once they 
have occurred. 

Fault case denotes a constellation of faults, namely the set of all faults that act on 
the system. 

Fault detection denotes the process of deciding whether or not faults are present 
in the system. Fault detection states neither the locations nor the strengths of the 
current faults, but only the existence of faults. 

Fault isolation provides the locations of faults in the system. This monograph 
assumes that the fault has been uniquely isolated before control reconfiguration 
activates. 

Fault identification provides the location and strength of the faults in the sys- 
tem. The reconfigurable control methods shown in this monograph do not require 
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perfect fault identification due to inherent robustness and the possibility of forcing 
a shutdown of actuators with uncertain fault status, and the possibility of ignoring 
the values provided by faulty sensors. 

Fault-tolerant systems continue to function in spite of faults, possibly with de- 
graded performance. In other words, faults at the component level do not cause a 
failure at the system level. Fault-tolerance increases a system's reliability and de- 
pendability. 

Redundancy denotes the presence of more than one means for achieving a given 
goal. Physical redundancy (also called parallel redundancy) refers to the multiple in- 
stallation of critical components such as actuators or sensor. If one component fails, 
the other components replace the failed one. Analytical redundancy refers to the 
presence of functionally similar components, where the functional similarities are 
expressed in a system model. Adequate utilisation of analytical redundancy usually 
requires good models that contain a description of the redundancy. 

Reliability is the probability that a system accomplishes its function for a specified 
period of time under normal operating conditions. Reliability analysis provides sta- 
tistical information about the probability of failures, but does not make statements 
about the system status at any particular time. Fault-tolerant control cannot change 
the reliability of the system components, but it can improve the overall system 
reliability. 

Safety is the absence of danger. System safety is often achieved by implementing 
a safety system that brings the system into a safe state if critical component faults 
or failures occur. A system with this property is called a fail-safe system. 



Appendix C 
Linear Subspaces 



The notions of controlled (or (A,B)-) invariant subspaces and their duals, the condi- 
tioned (or (C,A)-) invariant subspaces 1 12l 122711 are introduced here. For computa- 
tional aspects, see 17011 . They are mostly required for the statement of certain results 
given in Chapter@] Consider the system E\ : x(t) - Ax{t) + Bu{t) with x{i) e X = W 
and u{t) e*W = ]R m . An absolutely continuous (a.c.) function x{t) : R+ — > R" satisfy- 
ing this differential equation for some u is called an a.c. trajectory of E\ . A subspace 
*V £ X is said to be (A,B)-invariant if there exists a matrix F : X — > 1/ such that 
(A - BF)^ c *y. An equivalent geometric characterisation is that 'V must satisfy 
A'V Q'V + imB. Given a subspace 'K c X, it can be shown that there exists a unique 
supremal (A,i?)-invariant subspace contained in "7C, denoted by < V*(^K). If *V is an 
A-invariant subspace, then the notation A\V denotes the restriction of A to < V, de- 
fined through the equation (AYV)x — Ax for xe'V. Furthermore, it may be required 
from F that in addition to rendering "V* (7C) invariant, cr(A - BFYV* (7C)) belongs to 
a prescribed good region C s c C. A subspace <V g c X is called a stabilisability sub- 
space if there exists a matrix F : X — > *ZY such that (A - BFJVg c <y g and the closed- 
loop spectrum lies in a stability set C ? , <x(A - BFI'Vg) c <C g . The supremal stabilis- 
ability subspace contained in a given subspace 'K cX is well defined and denoted by 
< Yt(K). Furthermore, an (A,B)-invariant subspace % such that (A - BFJR c ?? and 
cr(A - BF\R) is freely assignable is called a controllability subspace. The supremal 
controllability subspace contained in a subspace 7C c X is well-defined and denoted 
by < R*{%). Finally, the supremal almost controlled-invariant stabil isabi lity subspace 



contained in 7C is unique, well-defined, and denoted by f Vt (*7C) ||22 

Dual notions are defined for the system E2 '■ x - Ax, y - Cx, with y e 
J/ = R 9 . A subspace S c X is called conditioned ((C ,A)-) invariant if there 



exists a matrix J : J/ — > X such that (A - JC)S c ,S 119111 . with the equiva- 
lent geometric characterisation that S must satisfy A(S n kerC) c S. A (C,A)- 
invariant subspace >S ? is called a detectability subspace if Si is a stabilisability 
subspace relative to the pair (A T ,C T ). A (C, A)-invariant subspace TV is called an ob- 
servability subspace if N 1 - is a controllability subspace relative to the pair (A T ,C T ). 
Given a subspace < K, it can be shown that S*CK), S*CK), N*(<K), and S* b (K) de- 
noting the infimal (C, A)-invariant subspace, the infimal detectability subspace, the 
infimal observability subspace, and the infimal almo st (C, A)-invariant detectability 



subspace containing 7C, are well defined and unique [223] 



Appendix D 
Proofs 



D.l Proofs of Chapter H 

D.l.l Proof of Theorem \4.6\ and Theorem \4.13\ 

The claimed universality is proven by constructing a solution to Problem [3.2l Given 
a nominal system Zp and a faulty system Zpf, conditions are sought under which 
for every stabilizing controller Zq of the form ( 14.10b . there exists a redesigned con- 
troller Zcr of the form ( 14.10b such that the nominal closed-loop transfer function 
from r i— > z matches that of the reconfigured closed-loop system from r\->z/. The 
controller ( 14.10b is denoted in the Laplace domain by 

u(s) = K r (s)r(s)-Ky(s)y(sy 

It may be assumed that its state-space representation ( 14.10b is minimal, because any 
non-minimal elements do not affect the controller I/O behavior. It may be further- 
more assumed that the faulty system ( 14.14b is stabilizable and detectable, because 
otherwise no stabilizing controller exists. 

The nominal system (14.1b has the transfer function 

likewise the faulty system ( 14.14b has the transfer function 

where due to Definition 14. 21 and Definition [4731 Filis) - Pd^ z ( s ) i s nominal. 

Using the nominal controller K(s) - [K r (s) - K y (s)], where K,-(s) must be sta- 
ble, straightforward calculations yield the following transfer functions T r ^, z (s) and 
T<i^> z (s) for the nominal closed-loop system (Zp,Zc) 



258 Appendix D Proofs 

T r ^ z (s) = P u ^ z (s)K r (s) - P u ^ z (s)K y ( S )(l + P u ^ y (s)K y ( S )Y l P u ^ y (s)K r (s) 

(D.3) 

T d ^ z (s) = P d ^ z (s)-P u ^ z (s)K y {s)(l + P u ^ y {s)K y (s))~ l P d ^y{s). (D.4) 

With a reconfigured controller Zcr ■ K'(s) - [K' r (s) - K'(s)], corresponding transfer 
functions for the reconfigured closed-loop system (Zpf,Zcr) are obtained: 

r;^ z/ (j)=F B/ ^ / (^;(*)-F B/ ^ Z/ ( 5 )ji:;(^(/+F B/ ^ / (^( 5 ))" 1 F B/ ^ / (^( i ) 

(D.5) 
T' d ^ Zf (s) = P d ^ z (s)-F Uf ^ Zf (s)K;(s)(l + F Uf ^ yf (s)K;(s)y l F d ^ yf (s). (D.6) 

Due to the results by Youla and Kucera J193J I245J 124611 . all stabilizing nominal 
feedback controllers K y (s) are parameterized by the stable transfer function Q(s), 
and all stabilizing reconfigured feedback controllers K' y (s) are parameterized over 
the stable transfer function Q'(s) by means of the relations 



Q(s) = K y (s)(l + P u ^ y (s)K y (s)y (D.7) 

Q'(s) = K^s)(l + F Ur +, f (s)fys)y l . (D.8) 



Problem 13.21 is solved if and only if for all (2/>,2c)-stabilizing transfer function 
K(s), there exists a (2/>/,Zc r )-stabilizing transfer function K'(s) such that 

T' r ^ Zf (s) = T„ t (s) (D.9) 

T' d ^ Zf (s) = T d ^ z (s). (D.10) 

Using the Youla-parameters Q(s) and Q'(s) to characterize the feedback, the equiv- 
alent criteria are that for all stable (K r (s),Q(s)), there exist stable (K'.(s),Q'(s)) such 
that 

P u ^ z (s)K r (s) = F Uf ^ Zf (s)K' r (s) (D.l 1) 

Pu^z(s)Q(s)P u ^ y (s)K r (s) = F Uf ^ Zf (s)Q'(s)F Uf ^ yf (s)K' r (s) (D. 12) 

P u ^z(.s)Q(s)P d ^ y (s) = F Uf ^ Zf (s)Q'( S )F d ^ yf ( S ). (D.13) 

(Actuator faults) Now consider the case of pure actuator faults (C/ = C). It follows 
that F d ^ y ,(s) = P d ^ y (s), and the solvability of ( ID. Ill ) for K' r (s) implies the solv- 
ability of ( ID. 13b for Q'(s). Expansion of ( ID. 1 II ) leads to 

C z (sI-A)- l BK r (s) = C z (sI-AT l B f K' r (s), (D.14) 

for which stable solutions K' r (s) for all stable K, (s) are sought. In other words, one 
ranges over the entire set of stabilizing controllers to achieve za — z(t) - Zf(t) = 
Vf e R+. Defining jc w (f) — x(t) - x/(t), the dynamics for za are governed by 
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(xjt) = Ax^it) + Bu c (t) - B f Uf{f), xJO) = 
\z A (t) =C f x a (t). 

Finding a control Ufif) such that for all stabilizing measurable controls u(t) the 
output za is measurable is therefore equivalent to a known disturbance decoupling 
problem with stability (DDPS'), which is known to be solvable if and only if Condi- 
tion ( 14.55b is satisfied. The same holds for the almost-trajectory recovery and Con- 
dition ( 14.56b . Equation dD- 12b is solvable for all stable Q if Equation JD.13I ) is solv- 
able. Therefore, a suitable virtual actuator exists, and the correct initial condition is 

(Sensor faults) Now consider the case of pure sensor faults (Bf = B). It fol- 
lows that F Uf -> Zf (s) = P u -> z (s), and Condition (ID. lib is automatically satisfied for 
K'.(s) = K r (s). Equation ( ID. 12b is easily satisfiable by choosing Q'(s) as an observer 
for the faulty system. Further conditions on the observer are o btained from Equa- 



tion dD~T3l >. which is solvable in Q'(s) for fixed Q(s) iff 1223L Appendix B] both 
following equations are solvable in Q\(s), Q' (s): 

P u ^z(s)Q(s) = P u ^ z (s)Q\(s) (D.15) 

Q(s)P d ^ y (s) = Q' 2 (s)F d ^ yf (s). (D.16) 

Equation ( ID. 15b is trivially satisfiable by Q\(s) - Q(s) for all Q(s). It remains to 
solve Equation (ID. 16b for all stable Q(s), which is after expansion 

Q(s)C(sI-A)- 1 B d = Q 2 (s)Cf(sI-A)- 1 B d , 

and for which we seek stable solutions Q' 2 {s) for all stable Q(s). In a way dual to 
the actuator case, this problem is equivalent to a decoupled-estimation problem with 
measurement throughput and stability (DDEPS'), which is known to be solvable if 
and only if Condition (14.33b is satisfied. The same holds for the almost-trajectory 
recovery and Condition (14.34b . A virtual sensor exists that solves the problem, and 

D.2 Proofs of Chapter © 

D.2. 1 Proof of Theorem \6.1\ 

Closed-loop stability is established based on the weak fault-hiding property (Lemma 
16.1b , the nominal closed-loop IOS (Assumption 15.3b , and the established stability 
properties of the observation error and difference systems together with Proposi- 
tion 12.21 The equivalent closed-loop block diagram can be drawn as in Fig. ID.2I 
due to Equation (16.3b and interpreted as the cascade interconnection of the nominal 
closed-loop system with a difference and error subsystem due to Lemma loTl 

First, consider the feedback connection (Z e ,2^t) (shaded block in Fig. ID. lb . to 
which the signals u c , d, and x are external inputs. Normally, to conclude ISS of 
feedback connections, a small-gain argument is needed. In this case, however, E e 
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Fig. D.l Transformed reconfigured closed-loop system J5.8b . J5.4I ). J6.ll ). J6.2 



is exponentially stable for arbitrary interconnection inputs x, Xa, which is used as 
follows. From Lemma 16.21 the observation error dynamics is 0-GES for arbitrary 
inputs x and x^ and ISS w.r.t. the disturbance d. In other words, 



\\e{t)\\ < p e {\\e{s)\\,t- S ) + y d { sup ||d(r)||) 

S<T<t 



(D.17) 



for some (3 e e 'K-C, yd e 'K- The difference system is globally exponentially stable 
with u c — e - for arbitrary Jc and ISS w.r.t. u c and e, hence for t > s > to > it 
follows that 



IMOII <M\\xA(s)\\,t- s) + y u \ sup ||m,(t)|| \ + y e \ sup ||e(r) 

\S<T<t J \S<T<t 



(D.l 8) 



for some/5^ e 'KX., y u ,y e e 7C. Applying (ID. 18b with ^ = (t + to)/2 gives 



ll^«ll<^(|L(^)||,^) + r« 



sup ||m c (t) 



+ 7e 



sup |k(r) 



'+'0, 



(D.19) 



To estimate the term \\xa (^j 2 ') L a PPly (ID- 18b with s — to and t is replaced by (f - 
? )/2 to get 



M~r) ^^(n x ^ f °)ii'V £ ) +r " 



sup ||h c (t) 



{t <T<'-^ 



+ 7e 



sup ||c(t) 



'0<r<^ 



(D.20) 



To estimate the term sup t+t \\e(r)\\, use ( ID. 171 ) to obtain 



sup ||e(T)||<A(||e(<o)ll,0) + y < i 



t <T<'^- 



sup \\d(r) 

t Q <T<'-^- 



(D.21) 



sup | W tW.(^),^) +% 



sup \\d(r) 



D.2 Proofs of Chapter© 



261 



<&(lle(?o)ll,^) 



+ 7d 



sup \\d(r) 



&*™ 



(D.22) 



By inserting JD.20b — ( fD.22b into dD.19b and using the fact that for y e 7C the relation 
y{r\ + ri) < y(2r\) + y(2r2), the inequality 

\\x A it)\\ <0A {2pA (l|x^«b)||,^),^y»)+A( {ije (2^(11^0)11,0)),^) 



+r« 



(^8«(lk(m)ll,^))+A 



2y„ 



sup ||b c (t) 



\ 


\ 


/ 


-to 


2 


/ 


J 



-Pa 



+ 7« 



2-Je 



2y d ( sup llrf(r)H) 



?0<r<^ 



sup ||h c (t) 



r <r< 



'+'0 



+ 7e 



2yd 



t-to 



SUp \\d(j) 

'^<T<t 



(D.23) 



follows. Clearly, the sum of the first five terms is in class 7CC, whereas the sum of the 
last two terms is in class "7C. Therefore the following shorter notation is introduced, 

\\xA(t)\\<M\xA(to)\U-t )+MHto)\\,t-to)+yi(\\uc\\j:J+y2(\\d\\j:J, (D.24) 

where ySi(-) =^a°Wa{-)^ ( K£ and/^O =/3A°2y e °2/3 e (-)+y e o2/3 e (-)e'K£ as well 
as yi(-) = y„(0 +/3 A o 2y„(-) e 7C and y 2 (0 = 7, ° 2y d (-) +/3 A ° 2y e o 2y d {-) e 7C. 

The interconnection {E<,,Ea) satisfies the following relation, obtained by observ- 
ing that ||(e r , Jt^y || < |H| + \\x A II and \\{u T c ,d T ) T \\ < \\u c \\ + \\d\\ and inserting the above 
relations: 



e(t) 

x A (t) 



<M\e(to)\\,t-to)+ydQ\d\\ £ J+M\\xA(to)\\,t-to)+M\\e(to)\\,t-to) 



+yi(ll« c |lxJ+w(ll«flLcJ 

XAito) 

e(t ) 



+ 7d 



,t-t )+/3 



■y\ 



Zoo' 



XAito) 

e(to) 
+ yi 



,t-t \+/3 2 



XAito) 

eito) 



,t-t 



Zoc' 



An ISS-characterisation for the interconnected system (E e ,EA) has been obtained, 
where clearly \J3 e (r, s)+J3\ir, s)+fi2ir,s)] e"7C£ and [ydir) + yiir) + y2ir)] eTChold. 
It is concluded that the subsystem (27 e ,27j) is ISS w.r.t. the input iu c ,d,x), hence 
also IOS w.r.t. the outputs (c,x^). The system iZp, 27c) 1S IOS w.r.t. the input r and 
the output (u c ,x) by Assumption ^. 31 The series connection {{Ep,Ec),{E e ,E^)) that 
represents the reconfigured closed-loop system is IOS by Proposition 12.21 which 
completes the proof. 
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D.2.2 Proof of Theorem \6.2\ 



Consider the LMI ( 16.81 ) for characterising stabilising gains of the Hammerstein- 
Wiener virtual sensor. The substitutions C/ — > —BK, A — > A T , and Sh — » S v trans- 
form the LMI (Ob to the LMI 



-(AX S +X S A T ) 



"*^W 



2S V 

By relabeling X a = X s and F a = -Yj, the LMI ( 16.111 ) has been derived. This result 
implies that any solution (X s , Y s ) to the LMI ( 16.8b with the parameters (A,Cf) cor- 
responding to a Hammerstein- Wiener system subject to sensor faults also provides a 
solution (X a , Y a ) to the LMI ( 16.11b with the parameters (A,Bf), which corresponds 
to a Hammerstein- Wiener system subject to actuator faults. The solutions L and M 
are linked by the relation 

m =Y a x; ! l = -yfz; 1 = -(x; l Y s f = -l t , 

which completes the proof. 

D.2.3 Proof of Theorem \6.4\ 

It is shown that the problem of finding a new stabilising state-feedback law Uf(t) - 
Kxf(t) is equivalent to finding a stabilising Hammerstein virtual actuator ( 16.17b . The 
combination of the new state-feedback controller with the faulty plant ( 15.8b leads to 
the reconfigured closed-loop system x/(t) - Ax/(t) + Bfiff ( Kxf(t)j + Bdd(t), which 
has the same form as the difference system ( 16.21b after the substitutions M = K,Xa = 
Xf up to a sign and differing exogenous inputs. Thus, the problems are equivalent, 
and the virtual actuator is state-feedback universal in the sense of Definitionl6.4l 



D.2.4 Proof of Theorem 15.51 

From Theorem 12.51 it follows directly that the observation error ( 16.291 ) is asymp- 
totically stable for d = 0. In fact, the unforced observation error is even globally 
uniformly exponentially stable H97L Proof of Theorem 7.1]. 

From the exponential stability of the unforced observation error and from Theo- 
rem l2.ll it follows that the unforced observation error has a Lyapunov function V(e). 
The derivative of V(e) with respect to the forced observation error system ( 16.51 ) sat- 
isfies the relations 

V(e) =V V(e) (Ae(t) + L (h f (C f x f (t)) - h f (C f (x f (t) + e(t))j) - B d d(t)) 
< - c 3 \\e\\ 2 + c 4 (*b +%||)||e|| • IIC/H • [|L|| + c«||e|| ■ \\B d \\ ■ \\d\\ 
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due to the robust Lipschitz condition ( 16.30ft and Theorem l2.ll The first term -C3||e|| 2 
is obviously always negative. Using the parameter 6 e (0, 1), the inequality is rewrit- 
ten as 

V(e) < - c 3 (l - 6)\\e\\ 2 - c 3 0|k|| 2 + c 4 (R + R\\e\\)\\e\\ ■ \\C f \\ ■ \\L\\ + c 4 ||e|| ■ \\B d \\ ■ \\d\\ 

< - (i - e)c 3 \\ef, if IMI > | + C4 !l^"„ — Mil- 

R 8c 3 -c 4 R\\C f \\-\\L\\ 

Hence, Theorem l2.2l is invoked with a\(r) - c\r 2 , az(r) - Qr 2 , W(e) = (1 -0)c3||e|| 2 
andp(r) = (c4||5d||/(c30— C4^||C/||- ||L||))r, and the observation error system ( 16.291 1 
is globally ISpS w.r.t. the input d with y(r) = ^f^J^l{c^\\B d \\|(cJ,e-c^R\\Cf\\ ■ \\L\\))r 
for C3# — C4./?||Cy||- ||L|| > 0. The remaining proof of closed-loop stability is identical 
to the proof of Theorem l6.ll which completes the proof of Theorem l6.5l 



D.2.5 Proof of Theorem IOI 

It is shown that the problem of finding a stabilising output-injection control law 
x/(t) = Axf + Kyf(t) is equivalent to finding a stabilising Hammerstein- Wiener 
virtual sensor d6.lt . The combination of the output-injection control law with the 
faulty plant (15. 8t and nominal controller leads to the reconfigured closed-loop sys- 
tem x/(t) = Axf{i) + Kh\Cxf(t)\ + Bdd(t), which has the same basic form as the 
observation error system (16.26b after the substitutions L — K, e — Xf up to a sign 
and differing exogenous inputs. Thus, the problems are equivalent, and the 
Hammerstein- Wiener virtual sensor is output-injection universal in the sense of 
Definition 16. 5 1 



D.3 Proofs of Chapter 
D.3.1 Proof of Theorem \7.1\ 

The condition f 6 Z,a ensures that the chosen setpoint is an output equilibrium of 
the faulty saturated system that corresponds to an equilibrium of the virtual actuator 
xa and an input equilibrium u e 1A C . It remains to be shown that the equilibrium 
f is always reached from any other feasible output equilibrium. Let (xa,1,u\) and 
(xa,?.,U2) be two feasible state equilibria. It must be shown that there exists a con- 
tinuous control input u c (f) that steers the system from (xa,i,U\) to (xa,i,u-2). 

Using the abbreviations A a — A — BfM and Ba — B — BfN, the equilibria are 
characterised by the equations 

= Axa,i —Bfsat(u f ,Uf,MxA,i + Nun + B sat\u,u,uij 
= Axao - Bfsatiu f ,u f, Mxa,2 + Nu2) + Bsat(u,u,U2) 
Ml = -B + A A A x A ,i, u 2 = -B + a A A Xa,2. 
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Due to the satisfaction of the strong fault-hiding goal, and the assumption that 
the nominal closed-loop system tracks feasible setpoints, the input u c certainly ap- 
proaches an equilibrium value u c , starting from any initial condition xa,i- The dy- 
namical properties of setpoint change are next studied by showing that the system 
is incrementally stable [5[]. The following relation is obtained from Theorem 12. II in 
the same way as in the proof of Theorem l6.ll 

2 C4L 

V(X A - XA,2) £- c 3(l - V)\\XA- XA,2\\ for ||x^ -XA,2\\ > —-\\u c -U 2 \\. 

ct,9 

Since it is known that u c {t) — > «2 for t —* 00, the derivative V is guaranteed to be 
eventually negative for xa + xa,2- Hence, the increment xa - Xa,i nas been shown to 
asymptotically vanish, and the state equilibrium is asymptotically reached. 

Every admissible setpoint in z e Z, a is reached by applying a suitable input u c . 
The mapping from u to z is surjective, but not injective. Hence, u c is not unique. 
In particular, in the linear case multiple input equilibria U\, u 2 ••• may lead to the 
same given output equilibrium z: 

C z A~ l Bu x = C z A~ 1 Bu 2 = Z. 

However, not all candidate inputs generating z are admissible, because some of 
them may activate saturations; for example, -i(ki g It) but «2 6 It- The effect oc- 
curs particularly when actuator equilibrium values are chosen close to an actuation 
range boundary. The proper choice of N depends on the reference equilibrium value. 
From a practical point of view, it is, however, undesirable to change N in response 
to setpoint changes. This potential problem is due to ambiguity in the solution of 

the equation C z (A -BfM) B -C z (A-BfM\ BfN, which cannot occur if the 
faulty input matrix is minimum equilibrium-preserving. Since the output equilib- 
rium f is feasible, it follows that C z Xa - 0, and za - 0. 



D.4 Proofs of Chapter M 

D.4.1 Proof of TheoremWL 

The first synthesis LMI is obtained by inserting the matrix parameters of the transfer 
function T Uc ^ ZA (s) defined in Equation ( 18.2b into the LMI of Theorem [4J] and per- 
forming the substitutions X az - X and Y az - MX az . The inverse X~} always exists, 
since X az is positive definite by requirement, which completes the proof. 



D.4.2 Proof of Theorem\8J\ 

The first synthesis LMI is obtained by inserting the matrix parameters of the transfer 
function T Uc ^ Uf {s) defined in Equation ( 18.3b into the LMI of Theorem 14.11 and 
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performing the substitutions X au - X and Y au = MX au . The inverse X tn ] always 
exists, since X au is positive definite by requirement, which completes the proof. 



D.4.3 Proof of Theorem\8J\ 

Clearly, the LMI ( 18.4b characterises the performance loss, and the LMI ( 18.5b char- 
acterises the input amplification, (see Theorem 14.11 ) It remains to combine both 
goals into a single optimisation problem. Note that in both LMI, the virtual ac- 
tuator gain M is linked to the solutions X az ,Y az and X au ,Y au in the same way: 
M = Y az X~} and M - Y au X~^ . From the point of view of independent descriptions 
of the matrix norms ||7 , Bc _ >z J|# 0< , and \\T Uc ^ Uf \\H m , the independent LMI characteri- 
sations d8.4b . ( 18.5b with separate variable pairs (X az , Y az ) and (X au , Y au ) are accurate. 
However, the variables must be linked to the virtual actuator gain M in a consistent 
way. Therefore, the variables are unified by the substitutions X az = X a and X au - X a , 
as well as Y az - Y a and Y au - Y a , leading to the LMI ( 18.7b . J8.8b . The new variables 
are linked to the gain M by means of the relation M - Y a X~ l , which completes the 
proof. 



D.5 Proofs of Chapter M 
D.5.1 Proof of Theorem \10J\ 



Closed-loop stability is established by using Lemma llO.ll the nominal closed-loop 
IOS (Assumption 19. 2b , and the established IOS properties of the observation error 
and difference systems together with Proposition 12.21 The equivalent closed-loop 
block diagram can be drawn as in Fig. ID. 21 due to Equation ( 110.9b . ( 110. 10b and 
interpreted as the cascade interconnection of the nominal closed-loop system with a 
difference and error subsystem due to Lemma flO.lK see Remark flO-lb . 



c 



Zp 



v, 



C 



E, 



E, 



Fig. D.2 Transformed reconfigured closed-loop system l |9.7b , l |9.6| l. dlO.U . dl0.2t . 



First, consider the feedback connection (I, e ,XS) (shaded block in Fig. ID. 2b . to 
which the signals u c , d, and x are external inputs. It was shown in Lemma [10.2l that 



\\e(t)\\</3 e (\\e(s)\\J-s) + rd ( sup \\d(r) 
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In other words, the ISS gain of the system E e from xa to e is zero. From the ISS 
small-gain theorem [97, Theorem 5.6] it follows that the feedback interconnection 
(E e ,Ed) is ISS w.r.t. the input (u c ,x,d), hence also IOS w.r.t. the outputs (e,xj). 
The ISS small-gain property is now explicitly proven for this particular case. From 
Lemma flO.21 the observation error dynamics is 0-GES for arbitrary inputs Jc and xj 
and ISS w.r.t. the disturbance d. In other words, for t > s it is true that 



\\e(t)\\<p e (\\e(s)\\,t-s) + y d (su V \\d(T) 

S<T<t 



(D.25) 



for some fi e e 'KX, y c i e 'K- The difference system is globally exponentially stable 
with u c — e - for arbitrary x and ISS w.r.t. u c and e, hence it is true for t > s > to > 
that 



\\xAt)\\<M\\xAs)lt-s)+y u \ sup ||b c (t)|| \+y e \ sup ||e( T )|| (D.26) 

\S<T<t J \s<T<t J 

for some^ 6 'KX., y u <7e e 'K- Applying ( ID. 26b with s - (t + to)/2 gives 



llx,«ll<^(L(^)|L^) + r« 



sup ||b c (t) 



+ 7e 



sup ||c(t) 



'+'0, 



(D.27) 



To estimate the term Udf - ^) > a Pply ( ID -261 ) with s - to and t replaced by (t + to)/2 



to get 



Xa ^Ct) ^(ltofo>H'^) + y« 



sup ||« c (t) 



tO<T< 



'+'() 



+ 7e 



sup \\e(j) 



r <r< 



'+'» 



To estimate the term sup t+t ||e(r)||, use ( ID. 251 ) to obtain 



(D.28) 



tQ<T<'^- 



'+'() 



sup ||e(T)||<AGkOD)ll,0) + y<i 
suplW T „l^«( e (^),^) + 

<&(ii<k?o)ii,^) 



sup \\d(r) 



yt <T<'-^- 



yd 



sup \\d(j) 

'^<r<t 



sup \\d(T) 



(D.29) 



(D.30) 
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By inserting JD.28b - dD.30t > into ( ID.27I ) and using the fact that for y e 7C the relation 
y(r\ + rz) < y(2r\) + y(2r2), the inequality 

IMOII <Pa (2/3 A (\\x A (?o)|| , ^) , ^) 

+^(2y e (^ e GI««b)ll,0)),^)+y e (^8«(|k(H))ll,^)) 



+Pa 



+r» 



2y„ 



sup 



sup ||« c (t) 

'+'0 



tQ<T< 



U c 


J)\\ 


t-t 

' 2 


+& 2y e 


2y d 


) ) \ \ 


< 


( ( w 


on 


+ 7e 


2y<2 

V V 


sup ||d(T)|| 
^<r< ( JJ 



2y d ( sup ||rf(T)||) 



Io^^t 1 



t-to 


' 2 



(D.31) 



follows. Clearly, the sum of the first five terms is in class 'KJL, whereas the sum of the 
last two terms is in class 7C. Therefore the following shorter notation is introduced, 

11^(011 <M\\xAto)\\,t-to)+M\\e(to)\\,t-to)+yi(\\u c \\xJ + y2(\\d\\j:J, (D-32) 

where ySi(-) =/3 A o2J3 A (-) eTCC and/^O =/3 A o2y e o2f3 e (-) + y e o2/3 e (-)e r KJ: as well 
as yi(-) = y„Q +Pa o 2y„0) e <7C and y 2 (-) = y, o 2y d (-) +p A ° 2y e o 2y d (-) e <K. 

The interconnection (i7 e ,i7^) satisfies the following relation, obtained by observ- 
ing that ||(e r ,;cj) r || < |H| + \\x A || and \\{u T c , d T ) T \\ < \\u c \\ + \\d\\ and inserting the above 
relations: 



e(t) 

x A (t) 



</3e(\\e(to)\lt-to) + yd(\\d\\ £ J+/3i(\\xA(to)\lt-to)+/3 2 (\\e(to)\\,t-to) 
+yi(\\u c \\j:J + n(\\d\\j:J 

t-to\+P\ 



+ 7d 



x A {to) 
e(t ) 



+ 71 



x A (to) 
e(to) 

+ 72 



,t-to\+p 2 



X A {to) 

e(to) 



t-to 



l m ' 



An ISS-characterisation for the interconnected system {E e ,S A ) has been obtained, 
where clearly \f3e(r,s)+j3i(r,s)+lhQ;s)] &%£ and [yd(r)+yi(r)+y2(r)] eTf hold. 
It is concluded that the subsystem (E e ,E A ) is ISS w.r.t. the input (u c ,d,x), where, in 
fact, the ISS gain from x and u c to e is zero. 

The system (£p,£c) is IOS w.r.t. the input r and the output (u c ,x) by Assump- 
tion 19.21 Using Proposition 12.21 and ignoring the feedback of e to y c , it may be 
concluded that the series interconnection {{Ep,Ec\{E e ,S A y) that represents the re- 
configured closed-loop system is IOS. Re-introducing the feedback of e maintains 
the stability property by the ISS small-gain theorem, since the ISS gain from u c and 
Jc to e is zero, which completes the proof. 
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D.5.2 Proof of Theorem \10J\ 

To show ISpS of the error dynamics (110.171 ) w.r.t. the disturbance input d, an 
ISS-Lyapunov function V(e) - \e T Xe is constructed. By using Theorem |9. II while 
observing that the error dynamics ( 110.171 ) is continuous, one directly obtains for 
some a > 0, b > 0, 6 e (0, 1) that 

V{e) = e T Xe = e T xlk e (x f + e)- k e (x f ) - (B d i) ( * )J 

<-ae^Xe-e T x(B d i)^ 



< -b\\e\\ 2 + \\e\\ ■ \\XB d \\ ■ \\d\\ + Ik • ||AT|| ■ \\e(x f )\\ 

^-bWetf + WeW-WXBaW-WdW + WeW-WXW-E 

= _ ( i _ me f _ eb \\ e f + M . \\XB d \\ ■ \\d\\ + \\e\\ ■ HATH ■ E 

<-(l-WH| 2 if|H|>^|MU + . £ 



\\Bi 



which is a Lyapunov characterisation of the ISpS property [89]. In other words, in 
the absence of disturbances, the observation error converges to a ball with the radius 
K=(E\\X\M6b). 

With this result for the ISpS of the observation error, the remaining proof of 
closed-loop ISpS follows closely along the lines of the proof of Theorem ID. 5. II 
which is not repeated here. 

D.5.3 Proof of Theorem \10.3\ 

Consider the LMIs dlO. 1 lb for characterising stabilising gains of the virtual sensor. 
The substitutions C/ -> B T , and A, -> Aj transform the LMIs dlO.l li to the LMIs 

X s Aj + AjX s - Y s B T f - B f Yj < 0. 

By relabeling X a = X s and Y a = Y T S , the LMIs (110.13b have been derived. This result 
implies that any solution (X S ,Y S ) to the LMIs d 10. lib with the parameters (A,-,C/) 
corresponding to a PWA system with sensor faults also provides a solution (X a , Y a ) 
to the LMIs ( 110.13b with the parameters (Aj,Bf), which corresponds to a PWA 
system with actuator faults. The solutions L and M are linked by the relation 

m =y c ,x; 1 = yfz; 1 = (x; l Y s f = l t , 

which completes the proof. 
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D.6 Proofs of Chapter M 

D. 6. 1 Proof of Theorem \11.1\ 

The interconnection (E e ,Ej) is proven to be ISS with respect to the input (u c ,x,d) 
using Lemmas lll.4l and lll.5l as follows. It was shown in Lemma [l 1.41 that \\e(t)\\ < 
ce~ af ||e(0)|| for t > 0. In other words, the ISS gain of the system E e from (xj,x) to 
e is zero. The system Ea has finite ISS gain from its inputs u c , x, and e to (xa,Xi). 
Moreover, the IOS gain (see 189(1) from x to xa is zero. From the ISS small-gain 
theorem 1971 Theorem 5.6] and the IOS small-gain theorem 1891 Theorem 2.1], it 
follows that the feedback interconnection (2^,2^) is ISS w.r.t. the input (u c ,x,d), 
hence also IOS w.r.t. the outputs (e,X/i). An explicit proof in terms of this result is 
straightforward to obtain based on elementary manipulations of the corresponding 
comparison functions. 
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Fig. D.3 Transformed extended reconfigured closed-loop system 03. 5t . d9.7K dll.5t . dll.llt . 



Next, the ISS property for the reconfigured extended closed-loop system 
(£pf, Ss, 2*a,2c) must be verified, which is graphically shown in Fig. ID.3I In 
particular, the feedback signal e = (e T e T d ) T exponentially converges to zero by 
Lemma 111.41 The state variable xj in 27^ is not part of a feedback interconnec- 
tion. However, the state estimation error e and the disturbance observation error e^ 
are in feedback interconnection with Ep. Note that by Lemma fl 1 .41 the signal e^ 
exponentially converges to zero for arbitrary inputs u c , x. Therefore, the IOS gain 
of the system (S e ,Sj) from the input (u c ,x) to the output (e,ed) is zero and it fol- 
lows from the IOS small-gain theorem 189L Theorem 2.1] and from Assumption l9.3l 
that the reconfigured extended closed-loop system is ISS. Note that Assumption ^. 31 
is applicable since lim f _,ooe(0 = holds and {Ep, Ec) is assumed to be ISS w.r.t. 
e. Therefore, it has been shown that Problem |9.2| is solved with respect to stability 
recovery. 

It remains to be verified that Problem 19.21 is also solved with respect to set- 
point tracking recovery. In Chapter fl 1.31 it has been shown that the reconfigured 
closed-loop system tracks constant setpoints to precision K provided that the nomi- 
nal closed-loop system tracks them to this precision, and provided that the extended 
observation error e vanishes and the difference systems state x^ seen through the 
output matrix C z vanishes. According to Fig. ID. 31 the system (Ep, Ec) is governed 
by nominal dynamics except for the observation errors e and e c i that perturb the 
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nominal closed-loop system in the form of intermittent measurement noise, since 
lim f _»ooe(0 = and lim f _,oo ed(t) = 0. Consequently, Assumption 19 . 3 1 also applies to 
the system (£p,£c), and the complete solution to Problem [9.2l is provided. 



D. 6.2 Proof of Theorem \11.2\ 

Noting that the function k e in dll.91 ) is continuous, a Lyapunov function V(e) = 
he T Xe is constructed for the system dl 1.31b . The satisfaction of the LMIs | |11.19t 



implies according to Theorem |9.1| that there exist b > and 6 e (0, 1) such that 



V(e) = e T Xe = e T x(k e (x + e)- k e {x) - s(x f ) -g) (D.33) 

< -(1 - 0)b\\e\\ 2 - 0b\\e\\ 2 + \\e\\ ■ \\X\\E + \\e\\ ■ \\X\\ ■ \\g\\ (D.34) 

< -(1 -8)b\\e\\ 2 if ||e|| > M(£ + F ). (D.35) 

Ob 



which is a Lyapunov characterisation of the ISpS property 18911 - In the presence 
of disturbance variation, the extended observation error converges to a ball propor- 
tional in size to the bound on the disturbance variation ( ^ (E + F) '" (X) ) ■ 

With this result for the ISpS of the observation error, the remaining proof of 
closed-loop ISpS follows closely along the lines of the proof of Theorem ID. 6. II 
which is not repeated here. The proof is based on the observation that the model 
approximation error e only affects the observation error, but neither the difference 
system, nor the ISS small-gain properties of the interconnection {S e ,EJ) (Fig. ID.4l ). 



c 



^4 



E r 



E, 



X: 



Fig. D.4 Transformed extended reconfigured closed-loop system ( |9.6| l, l |9.7t , dll.51 . dll.lll 
with modelling error. 



The reduced tracking precision follows from the observation that the observation 
error is bounded by a constant proportional to the model error bound E, that the 
bounded observation error induces a bounded difference system state whose bound 
is also proportional to the model error bound E, and the fact that the steady-state 
tracking error satisfies the relation limsup,^^ ||e z (f)|| = limsup,^^ \\r(t) - C z x(t) + 
C z (xA(t) + e(t))\\, where limsup^,,,, ||r(f) - C z x(i)\\ < K' from Assumption 111.11 
lim^oo l|C z e(f)|| < c • (E + F) for c = \\X\\/(0b), and lim,^ ||C z ^(f)ll <c-d-{E + F) 
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where d is the ultimate gain of Ea w.r.t. the input e and the output Xa, and there- 
fore limsup^^ ||e z (f)ll ^ K' +c ■ d-(E + F). Note that e and e c i act like persistent 
measurement disturbances on the system Ep. 



D. 6.3 Proof of Theorem \11.3\ 

Consider the extended observation error ( 111.331 ) and the inputs i\{t), /2(f)- De- 
note the ISS gain of the feedback interconnection (Ec,Ep,E e ,E/i) from the input 
(/p il, £3 , i^) T to the output (x T - x T A —e T , x T j, x A ) T by g (this gain exists and is 
finite, since the new inputs i\ and £2 to E e enter additively parallel to g, 13 enters the 
measurement equation additively parallel to e, and £4 enters Ea in parallel to u c and 
e). According to the ISS small-gain theorem, the feedback loop closed by attaching 
the system with the input (x T — x A — e T , xj, x T A ) T and the output (i[, il , ij , i^) T is 
ISS w.r.t. the external input (r,g) if Condition ( 111.361 ) is satisfied. 



D. 6.4 Proof of Theorem \1L4\ 

Consider the LMIs ( 111.191 ) for characterising stabilising gains of the virtual sen- 
sor. The substitutions C/ — > B T f and A, — > AJ (which correspond to the substitu- 
tions A; — > AT, C z — » B T d , and Cf — > B T f of the block components) transform the 
LMIs (TTTTT91 to the LMIs 

Z,A, r + A,X S - Y s B T f - B f fJ < 0. 

By relabeling X a = X s and F a = Yj, the LMI dl 1.231 ) has been derived. This result 
implies that any solution (X S ,Y S ) to the LMIs ( 111.191 1 with the parameters (Cf,At) 
corresponding to a PWA system with sensor faults also provides a solution (X a , Y a ) 
to the LMIs dl 1.231 ) for the system with the parameters (AT, CT), which corresponds 
to a PWA system with actuator faults. The solutions L and M are linked by the 
relation 

m =Y a x;, 1 = ? T x; 1 = (x; l Y s f = L T , 

which completes the proof. 



Appendix E 

Models of the Thermofluid Process 



E.l Nonlinear Process Model 



Using mass and enthalpy balances 118 111 , the nonlinear state space model for the 
thermofluid process is obtained as follows. The dependence of quantities on time is 
not denoted explicitly for the sake of simplicity. The state equation has the structure 
dX2l)with 

, , . 1 /^el,Ts(M)-<2v,Ts(*,«) , , \ 

fi(x,u)= —^—l +h(x,u) , 

Aphs \ c p / 

f2(x,u) = — [m TB (u) + m TM (u) + thcyj(u)-m T y/(x,u)\, 

fi(x,u) = m TB (u)(cjb - cj S ) + /w T m(«)(ctm - cts) - mcw(")cTS 1, 

et , 1 /^el,Tfi(H)-Gv,TB(X,«) . , „ „ 

fy(X,U) = +m T v(#TV-#TB) 

Ap/ T B \ Cp 

1 1 

f5(x,u) = -- — x C w + - — «cw, 
1 cw ^ cw 

f 6 (X,U) = .Tel.TB + "el.TB, 

1 el.TB * el.TB 

1 1 

fi(X,u) = X e l,TS + "el.TS, 

1 el.TS 1 el.TS 

and 

h(x,u) = m TB (u)(&TB-ftTs) + m TM (u)(# TM -&Ts) + mcw(u)(&cw-ftTs)- 
The output equation of the model ( 13.2b has the entries 

h(x) = 1?TS, 
h 2 (x) = hs, 
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h 3 (x) = 0.4469 — + 2047.7 — c TS , 
cm cm 

h 4 (x) = # T B- 



The parameters of the nonlinear model are given with their values in Table IE.1 
Below, each term is presented in more detail by plant component. 



Table E.l Nonlinear state space model parameters. 



Parameter 


Value 


Tew 


3.7 s 


7el,TB 


27 s 


7d,TS 


65 s 


CJM 


1.97930 TO" 3 


CTB 


1.73513 TO" 3 


'tb 


0.41m 


IjM 


0.31m 


#cw 


25 °C 


A 


0.707 m 2 


#u 


22.5 °C 



Cold water supply w^w- The subordinate control of the cold water mass flow rate 
mew into the tank TS is modelled as a controlled actuator, with the desired mass 
flow rate as its input, and is modelled as a first order delay block 



*cw(0 = ~- — x C w(t) + - — 
l cw I cw 

mcw(0 = *cw(0- 



wcw(f). 



Pump upg. The mass flow rate mjw from the tank TS is controlled by means of the 
pump. Since the smallest possible mass flow is too large for the considered process, 
pulse-width modulation (PWM) is used to realise smaller flow rates: 



wps(f) 



T on (t) 
Tpwm' 



with a period 7pwm = 6 s. Taking the elevation of 0.36 m into account, the mass 
flow rate out of the tank TS into the tank TW is 

m TW (f) = 0.1679 — |=Kps(0 V'ts(0 + 0.36 m. 
s-ym 

Control valve mtb- The control of the mass flow rate ottb from TB into TS uses the 
control valve mtb- The mass flow through the valve is subject to a dead zone due to 
combined pump and valve properties as 
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„ (ci + c 2 {wm{t) - Di)) • a//tb + 0.3 m, ifw T B>£>i 

[0 = , lfMTB<Oi 

with the parameters ci = 0.019 kg/(s Vm), c? = 0.727 kg/(s Vrn) and a dead zone 
Di=0.13. 

Control valve «tm- The control of the mass flow 7«jm from TM into TS happens 
analogously to ottb using the control valve mjm, yielding 



(C3 + c 4 (mtm(0 - D 2 )) ■ V^tm + 0.3 m, if u TM >D 2 
mjM(t) = \ kg (E.l) 

(Of, lf«TM<£>2, 

with the parameters c^ - 0.047 kg/(s Vm), ca, - 0.605 kg/(s Vrn) and a dead zone 
D 2 = 0.04. 

Heater u e \js. The heater i< e i,TS in the reactor TS consist of 4 heating rods, each with 
1 kW power. Every heating rod can only be turned completely on or off, hence PWM 
is used to provide a pseudo-continuous power range. The heater w e i,TS is modelled 
as a first order delay block with input u e \js and output P e \j;s 

*el,Ts0) = -~ *el,Ts(0+~ M el,Ts0), 

I el.TS 1 el.TS 

^el.TsO) = *el,TS*el,Ts(0, 

where £ e i,Ts = 4 kW. 

Heat loss of the reactor TS. By experience, the heat loss (2v,ts depends on the 
activity of the heating rods: 

n <* rm /e^s^Ts(O), if M el.TS>0 

(GvxS^TsW), lf«d,TS = 0. 

The individual heat losses are 

|c 5 (0TS«-tfu), if^TS>^U 



'OW, if#n<#D, 

V - TS [0W, if# T S<#U, 

where c 5 = 46.9403 W/K, c 6 = 4.8968 W/K and the ambient temperature #u = 
22.5 °C. Heat transfer into TS in case the ambient air is warmer than the reactor 
content (#ts < #u) is neglected, because the process is only operated above ambi- 
ent temperature. 
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Heater « e i,TB- The heater M e i,TB in the reactor TB consists of 6 heating rods with 
3 kW power each. As in TS, the heating rods are operated using PWM. The 6 rods 
are modelled as a first order delay block with input M e i,TB and output P e i,TB , 

■*el,TB(0 = ~- X e ij B (t) + - W e l,TB(f), 

1 el.TB 1 el.TB 

-Pel,TB(0 = £el,TB*el,TBOX 

where £ e i tb = 18 kW. 

Heat loss of the reactor TB. The heat loss <2v,tb in TB is modelled depending on 
the heating rod operation as for TS : 



2v,tb(#tb(0) = , . , 
with the loss terms 



G^tb(*Tb(0). if«el,TB>0 
GvV^TB(O), if«d,TB=0, 



Q^(^))-{ Cl(&JBit) ~ &V) ' lf ' TB " U 

V,TB (OW, if*TB<*U, 

V - TB (OW, if*TB<*U, 

and parameters c 7 = 135.468 W/K and c 8 = 4.8968 W/K. As for TS, heat transfer 
into TB is not modelled due to the process operating exclusively above the ambient 
temperature. 

To linearise this model around the equilibrium given in Table lE.2l it must be noted 
that due to the dead zone (Equation ( IE. II )) the states are decoupled from the input 
signal mtm- To preserve this dependency, the mass flow rate from TM into TS is 
modelled for the purpose of linearisation as 

m TM (t) = 0.6428 — t=wtm0) V'tm + 0.3 m. 
s-yrn 



Table E.2 Equilibrium point used for operation and linearisation 



Equilibrium value 


Equilibrium value 


#ts = 25 °C 


cts = 8.07-10" 4 % 


/ts = 0.335 m 


Stb = 0.1618 


#tb = 25 °C 


Sps = 0.603 


"TM = 


*el,TS =«el,TS = 0.5181 


"cw = *cw = 0.04 kg/s 


*el,TB = «el,TB = 6.93 ■ 10" 4 
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E.2 Piecewise Affine Process Model 

The following piecewise affine model defined on 48 polytopes is used in this mono- 
graph. 



A\ 



A 2 - 



A 4 : 



A 5 : 



-0.009471 


-0.03673 





0.007377 


-0.05912 





0.04042 ' 





-0.000778 
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0.1604 
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0.04042 \ 
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A 9 : 
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0.04042 < 


-6.574e-07 


-0.000778 








0.001415 








4.106e-07 


-2.545c- 05 


-0.00899 





-3.409c- 06 








1.851e-05 








-0.003283 





0.1604 

















-0.2703 























-0.03704 























-0.01538, 


( -0.008255 


-0.03673 





0.006161 


-0.05912 





0.04042 \ 


-6.574e-07 


-0.000778 








0.001415 








3.78c- 07 


1.736c- 05 - 


0.004281 





-3.409e-06 








1.851c- 05 








-0.003283 





0.1604 

















-0.2703 























-0.03704 





\ 

















-0.01538, 


( -0.01251 


-0.4768 





0.002934 


-0.05912 





0.04042 " 


-6.574e-07 


-0.000778 








0.001415 








3.78e-07 


1.736c -05 - 


0.004281 





-3.409e-06 








1.851c- 05 








-0.003283 





0.1604 

















-0.2703 























-0.03704 























-0.01538, 


' -0.01251 


-0.4768 





0.002934 


-0.05912 





0.04042 ' 


-6.574e-07 


-0.000778 








0.001415 








4.106e-07 


-2.545e-05 


-0.00899 





-3.409e-06 








1.851e-05 








-0.003283 





0.1604 

















-0.2703 























-0.03704 























-0.01538, 


' -0.01251 


-0.4768 





0.002934 


-0.05912 





0.04042 \ 


-6.574e-07 


-0.000778 








0.001415 








3.78e-07 


1.736c- 05 - 


0.004281 





-3.409e-06 








1.851e-05 








-0.003283 





0.1604 

















-0.2703 























-0.03704 























-0.01538, 



E.2 Piecewise Affine Process Model 



279 



^16 : 



(--0.00451 


-0.006279 





0.002934 


-0.05912 





0.04042 < 





-0.0007393 








0.001415 
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-0.001089 





-0.003283 
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0.002934 
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0.1604 
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-0.001089 
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l 20 : 
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Mi ■ 
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125 : 



126 : 



A 21 ■ 



^28 : 



l 2 9 : 



l 30 : 
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A33 : 



l 35 : 



136 : 
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A 40 
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An = 



Aaa = 



A 45 = 



A 46 = 



l 48 
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0.002934 -0.05912 0.04042 ^ 
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«l 



«5 
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0.08151 


, «3 = 
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